CloudFront + S3 Static Hosting .. Use Website Endpoint OR REST API with OAC

Question

Hi,

Today is my first time configuring a static web site on S3.

1. I setup a S3 Bucket with Static Hosting enabled, Public Access Enabled, Bucket policy that allows access

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxx/*"
        }
    ]
}
```

I tested it and website works.

Now i want to add CloudFront + ACM. So i generate my certificate on ACM and Configure CloudFront

when i am adding the Origin for my bucket it gives the Below Recommendation

> This S3 bucket has static web hosting enabled. If you plan to use this distribution as a website, we recommend using the S3 website endpoint rather than the bucket endpoint.

But in my reading and understanding, i want to follow the approach of keeping my bucket private and only allowing access from CF OAC.

What is the different between both approaches ? it seems if i use the website endpoint then i cannot make the S3 bucket private, as people will be able to access it directly without CF too.

I see that there are multiple options

1. Use a REST API endpoint as the origin, and restrict access with an origin access control (OAC) or origin access identity (OAI)
Note: It's a best practice to use origin access control (OAC) to restrict access. Origin access identity (OAI) is a legacy method for this process.
2. Use a website endpoint as the origin, and allow anonymous (public) access
3. Use a website endpoint as the origin, and restrict access with a Referer header
4. Use AWS CloudFormation to deploy a static website endpoint as the origin, and custom domain pointing to CloudFront

Which one is the recommended. it seems to keep the Bucket Private i can use either 1 or 3 ?
But still confused as to which the recommended approach

Answer

Hello.

> Use a REST API endpoint as the origin, and restrict access with an origin access control (OAC) or origin access identity (OAI) Note: It's a best practice to use origin access control (OAC) to restrict access. Origin access identity (OAI) is a legacy method for this process.

I would choose 1.  
The reason is that Rest API endpoints, unlike website endpoints, can use SSL connections, so secure connections can be made.  
https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html#WebsiteRestEndpointDiff

Additionally, by using OAC, it is possible to configure S3 bucket policies to block connections other than those via CloudFront.  
Restrictions via CloudFront can also be done using the Referer header, but this has the disadvantage that anyone can access it if the header value is leaked.  
Therefore, I think that control using OAC is better.  
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Static website hosting on S3 exposes your website over HTTP.  
Additionally, you need to set the domain to be the same as the bucket name, and it is not as scalable as using CloudFront.  
https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html  
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/getting-started-s3.html

Answer

![Enter image description here](/media/postImages/original/IMMvPwrJzwSjSBpMnSE4Qd-g)

Even if static website hosting is enabled on S3 Bucket, OAC still is a more secure option...

CloudFront + S3 Static Hosting .. Use Website Endpoint OR REST API with OAC

Relevant content