How to access the (cloudfront) s3 objects without pre-signed url

Question

Hello,

I am implementing cloudfront in our environment to reduce data transfer cost. After implementation my s3 objects are not accessible. When I select an object and enable a pre-signed url that I am able to access it. But the scenario is, there are "N" number of objects (e.g 5k, 10k etc). I can't select each object and enable pre-signed URLs and make my objects accessible. Also, pre-signed URLs have a time limit. It's not suitable for our environment.

My concern is, I need to implement cloudfront and reduce the data transfer cost, at the same time all the s3 objects should be accessible anytime without any restrictions. Please advice.

Thanks,
Ragav

Answer

When using Amazon S3 origins with CloudFront, you can use CloudFront Origin Access Control (OAC) to secure Amazon S3 bucket access. When setting up OAC, CloudFront will provide an IAM policy that can be used in your Amazon S3 bucket policy. The bucket policy creates a service principal that allows your CloudFront distribution to authenticate with Amazon S3. By allowing the CloudFront service principal, an s3:GetObject action in the bucket policy, Amazon S3 allows CloudFront distribution to access to the content [1].

> [+] Restricting access to an Amazon Simple Storage Service origin - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Once the S3 permissions are given to the CloudFront serivce principal in your Amazon S3 bucket policy, to access your S3 objects through CloudFront, combine the domain name for your CloudFront distribution with the S3 object key name [2]. For example, your distribution domain name might look like this "d111111abcdef8.cloudfront.net" and the path to the S3 object could be "/examplefolder/dummy_file.txt"

Therefore, the URL to access your content through CloudFront might look like this: https://d111111abcdef8.cloudfront.net/examplefolder/dummy_file.txt. For more information on serving HTTPS requests for your S3 bucket, refer to AWS guide [3]. In this way, you are not required to create S3 presigned URLs for each object individually and the objects are also private in nature (i.e. objects cannot be access direcly using Object URL publicly without authentication).

>  I am adding an AWS guide here for your reference on restricting access to an Amazon S3 bucket using CloudFront distribution:
>> https://repost.aws/knowledge-center/cloudfront-access-to-amazon-s3

**==== References ====**
[1]: https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/s3-origin-with-cloudfront.html
[2]:https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStartedAccessingDistributions.html
[3]: https://repost.aws/knowledge-center/cloudfront-https-requests-s3

Answer

You need to setup origin access control (OAC). This will allow the S3 bucket to be accessed by your CloudFront distribution.

Please follow [this guide](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3).

Answer

Hi,

What you want to achieve is fully detailled at https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

I also recommend this very detailled article on the matter: https://aps08.medium.com/unleashing-the-power-of-cloudfront-mastering-pre-signed-urls-for-secure-content-delivery-9f2c52d51aa6

Best,

Didier

How to access the (cloudfront) s3 objects without pre-signed url

Contenuto pertinente