How do I use my CloudFront distribution to restrict access to an Amazon S3 bucket?

4 minute read
1

I want to restrict access to my Amazon Simple Storage Service (Amazon S3) bucket so that users access objects only through my Amazon CloudFront distribution.

Resolution

Important: Before you begin, be sure that the Amazon S3 origin of your CloudFront distribution is configured as a REST API endpoint, for example AWSDOC-EXAMPLE-BUCKET.s3.amazonaws.com. This resolution doesn't apply to S3 origins that are configured as a website endpoint, for example AWSDOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com. For more information, see How do I use CloudFront to serve a static website that's hosted on Amazon S3?

Option 1 (Best practice): Create a CloudFront OAC

To create a CloudFront origin access control (OAC), complete the following steps:

  1. Open the CloudFront console.
  2. From the list of distributions, choose the distribution that serves content from the S3 bucket that you want to restrict access to.
  3. Choose the Origins tab.
  4. Select the S3 origin, and then choose Edit.
  5. For Origin Access, select Origin access control settings (recommended).
  6. For Origin access control, select an existing OAC, or choose the Create Control setting.
  7. In the dialogue box, name your control setting. It's a best practice to keep the default setting as Sign requests (recommended). 
  8. Choose Create.
  9. For S3 bucket Access, choose Copy policy, and then choose Save to apply the bucket policy on the S3 bucket.
  10. Choose Go to S3 bucket permissions to take you to the S3 bucket console.
  11. Choose Save Changes.
  12. In the Amazon S3 console, from your list of buckets, select the bucket that's the origin of the CloudFront distribution.
  13. Choose the Permissions tab.
  14. Under Bucket Policy, confirm that you see a statement similar to the following one:
{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE"
            }
        }
    }
}

To allow the CloudFront OAC to read objects from your bucket, you must add the preceding statement.

Note: After you restrict access to your bucket, you can integrate AWS WAF for another layer of security.

Option 2: Create a legacy CloudFront OAI

To create a legacy CloudFront origin access identity (OAI), complete the following steps:

  1. Open the CloudFront console.
  2. From the list of distributions, choose the distribution that serves content from the S3 bucket that you want to restrict access to.
  3. Choose the Origins tab.
  4. Select the S3 origin, and then choose Edit.
  5. For Origin Access, choose Legacy access identities.
  6. In the Origin access identity dropdown list, select the origin access identity name. Or, choose Create new OAI.
  7. In the dialog box, name your new origin access identity, and then choose Create.
  8. For Bucket policy, select Yes, update the bucket policy.
  9. Choose Save Changes.
  10. In the Amazon S3 console, from your list of buckets, choose the bucket that's the origin of the CloudFront distribution.
  11. Choose the Permissions tab.
  12. Under Bucket Policy, confirm that you see a statement similar to the following one:
{{

"Sid": "1",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX"

},

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"

}

Note: Review your bucket policy for any statements with "Effect": "Deny" that prevent access to the bucket from the CloudFront OAI. Modify those statements so that the CloudFront OAI can access objects in the bucket.

Also, review your bucket policy for any statements with "Effect": "Allow" that allow access to the bucket from any source that's not the CloudFront OAI. Modify those statements for your use case.

Related information

Creating a distribution

Identity and access management in Amazon S3

AWS OFFICIAL
AWS OFFICIALUpdated a month ago
2 Comments

If the S3 bucket is configured as a static website you can't use OAC or OAI. How can you restrict access to only CloudFront in this case?

replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 3 months ago