Can i still upload files to S3 using the AWS SDK when i restrict access with an CloudFront distribution?


I want my users to only access files via the cloudfront distribution. I've found this article that explains how to do that. My question is though; If i restrict access like that, will my web application still be able to upload files to amazon s3 buckets directly or does it have to use cloudfront for that as well?

Thank you

2 Answers
Accepted Answer

Assuming your web application is running in EC2/ECS, you can create an IAM Role with permissions to access the Bucket and attach it to your EC2 Instance(s). The Role will authorise SDK calls made from the instance (assuming the correct permissions are defined) without you having to create/manage access keys.

As long as your Buckets access Policy/ACLs are configured to allow access from the account/role your web application will be able to continue using the SDK as standard.

Note: IAM Roles & Bucket ACLs are notoriously tricky to get right so I strongly advise getting the configuration right on a UAT environment first.

answered 2 years ago
profile picture
reviewed 3 months ago
  • what is an UAT environment?

  • UAT means User Acceptance Testing environment. So Daniel just mentioned that you should always test your solution before going live with it.


Like Daniel Craigine wrote, of course, you can use SDK to upload new files to this S3 Bucket.

Origin Access Identity (OAI) is the way how the CloudFront is authorized to get objects from S3 and you need to allow OAI permission in Bucket Policy as is explained in the article you mention. But you can still add your application permission to PutObjects to this S3 Bucket in the IAM Role used by your application.

I hope it is clear right now :)

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions