By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to access the (cloudfront) s3 objects without pre-signed url

0

Hello,

I am implementing cloudfront in our environment to reduce data transfer cost. After implementation my s3 objects are not accessible. When I select an object and enable a pre-signed url that I am able to access it. But the scenario is, there are "N" number of objects (e.g 5k, 10k etc). I can't select each object and enable pre-signed URLs and make my objects accessible. Also, pre-signed URLs have a time limit. It's not suitable for our environment.

My concern is, I need to implement cloudfront and reduce the data transfer cost, at the same time all the s3 objects should be accessible anytime without any restrictions. Please advice.

Thanks, Ragav

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon CloudFront
Language
English
Cloud admin
asked 17 days ago362 views
3 Answers
0

You need to setup origin access control (OAC). This will allow the S3 bucket to be accessed by your CloudFront distribution.

Please follow this guide.

AWS
Yaniv Rozenboim
answered 17 days ago
profile picture
EXPERT
Steve_M
reviewed 17 days ago
0

Hi,

What you want to achieve is fully detailled at https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

I also recommend this very detailled article on the matter: https://aps08.medium.com/unleashing-the-power-of-cloudfront-mastering-pre-signed-urls-for-secure-content-delivery-9f2c52d51aa6

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 17 days ago
0

When using Amazon S3 origins with CloudFront, you can use CloudFront Origin Access Control (OAC) to secure Amazon S3 bucket access. When setting up OAC, CloudFront will provide an IAM policy that can be used in your Amazon S3 bucket policy. The bucket policy creates a service principal that allows your CloudFront distribution to authenticate with Amazon S3. By allowing the CloudFront service principal, an s3:GetObject action in the bucket policy, Amazon S3 allows CloudFront distribution to access to the content [1].

[+] Restricting access to an Amazon Simple Storage Service origin - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Once the S3 permissions are given to the CloudFront serivce principal in your Amazon S3 bucket policy, to access your S3 objects through CloudFront, combine the domain name for your CloudFront distribution with the S3 object key name [2]. For example, your distribution domain name might look like this "d111111abcdef8.cloudfront.net" and the path to the S3 object could be "/examplefolder/dummy_file.txt"

Therefore, the URL to access your content through CloudFront might look like this: https://d111111abcdef8.cloudfront.net/examplefolder/dummy_file.txt. For more information on serving HTTPS requests for your S3 bucket, refer to AWS guide [3]. In this way, you are not required to create S3 presigned URLs for each object individually and the objects are also private in nature (i.e. objects cannot be access direcly using Object URL publicly without authentication).

I am adding an AWS guide here for your reference on restricting access to an Amazon S3 bucket using CloudFront distribution:

https://repost.aws/knowledge-center/cloudfront-access-to-amazon-s3

==== References ==== [1]: https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/s3-origin-with-cloudfront.html [2]:https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStartedAccessingDistributions.html [3]: https://repost.aws/knowledge-center/cloudfront-https-requests-s3

profile picture
EXPERT
Govind Kumar
answered 16 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content