Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use my CloudFront distribution to restrict access to an Amazon S3 bucket?

4 minute read
1

I want to restrict access to my Amazon Simple Storage Service (Amazon S3) bucket so that users access objects only through my Amazon CloudFront distribution.

Resolution

To restrict access to an S3 bucket, you create an origin access control (OAC), or create a legacy origin access identity (OAI). It's a best practice to create an OAC instead of the legacy OAI.

Important: Before you begin, confirm that you configured the Amazon S3 origin of your CloudFront distribution as a REST API endpoint, such as AWSDOC-EXAMPLE-BUCKET.s3.amazonaws.com. This resolution doesn't apply to Amazon S3 origins that you configured as a website endpoint, such as AWSDOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com. For more information, see How do I use CloudFront to serve a static website that's hosted on Amazon S3?

Create a CloudFront OAC

Complete the following steps:

  1. Open the CloudFront console.
  2. In the navigation pane, choose Distributions, and then choose the distribution that serves content from the S3 bucket that you want to restrict access to.
  3. Choose the Origins tab.
  4. Select the Amazon S3 origin, and then choose Edit.
  5. For Origin access, select Origin access control settings (recommended).
  6. For Origin access control, select an existing OAC. Or, choose Create new OAC.
  7. In the dialog box, enter a name for your control setting. It's a best practice to keep the default setting as Sign requests (recommended).
  8. Choose Create.
  9. For S3 bucket access, choose Copy policy.
  10. Choose Save changes.
  11. Open the Amazon S3 console.
  12. In the navigation pane, choose General purpose buckets, and then select the bucket that's the origin of the CloudFront distribution.
  13. Choose the Permissions tab.
  14. Under Bucket policy, confirm that you see a statement similar to the following example: 
    {
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE"
            }
        }
    }
}
    Note: Replace DOC-EXAMPLE-BUCKET with your bucket name and arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE with your CloudFront distribution Amazon Resource Name (ARN). To allow the CloudFront OAC to read objects from your bucket, you must add the preceding statement to your bucket policy. After you restrict access to your bucket, you can integrate AWS WAF for another layer of security.

Create a legacy CloudFront OAI

Complete the following steps:

  1. Open the CloudFront console.
  2. In the navigation pane, choose Distributions, and then choose the distribution that serves content from the S3 bucket that you want to restrict access to.
  3. Choose the Origins tab.
  4. Select the Amazon S3 origin, and then choose Edit.
  5. For Origin access, choose Legacy access identities.
  6. In the Origin access identity dropdown list, select the OAI name. Or, choose Create new OAI.
  7. In the dialog box, enter a name for your new OAI, and then choose Create.
  8. For Bucket policy, select Yes, update the bucket policy.
  9. Choose Save changes.
  10. Open the Amazon S3 console.
  11. In the navigation pane, choose General purpose buckets, and then select the bucket that's the origin of the CloudFront distribution.
  12. Choose the Permissions tab.
  13. Under Bucket Policy, confirm that you see a statement similar to the following example: 
    {  
    "Sid": "1",  
    "Effect": "Allow",  
    "Principal": {  
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX"  
    },  
    "Action": "s3:GetObject",  
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"  
}
    Note: Replace arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX with your CloudFront distribution ARN and AWS****DOC-EXAMPLE-BUCKET with your bucket name. Review your bucket policy for statements with "Effect": "Deny" that block access to the bucket from the CloudFront OAI. Change the action to Allow so that the CloudFront OAI can access objects in the bucket. Also, review your bucket policy for statements with "Effect": "Allow" that allow access to the bucket from any source that's not the CloudFront OAI. Modify those statements for your use case.

Related information

Create a distribution

Identity and access management for Amazon S3

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English

Related videos

Watch Nishant’s video to learn more (4:34)
Watch Nishant’s video to learn more (4:34)
AWS OFFICIALUpdated 5 months ago
2 Comments

If the S3 bucket is configured as a static website you can't use OAC or OAI. How can you restrict access to only CloudFront in this case?

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 2 years ago

Relevant content