Lightsail S3 Bucket behind Lightsail Distribution

Question

I have a S3 bucket configured in AWS lightsail behind a AWS lightsail distribution (generic version from Cloudfront). I have my bucket setup as "individual objects can be public".

My problem is that the S3 objects in Lightsail are only accessible on the internet when I switch the permission to "Public access", not when is in "Private" mode.

I want to avoid switching the permission to "Public" because then the end user could bypass the CDN and go directly to S3, assuming ofc that the bucket name was known, in my case I'm using custom domain.

I know that full version of Cloud front has the option of use Origin Access Identity, which will allow all S3 bucket objects to be private and still be accessible.

Is there something similar on Lightsail distribution?

Answer

Hi there,
     
As I understand your question, you want to block direct access to your Lightsail storage bucket while using your Lightsail distribution to serve your content.
     
Lightsail is designed as a lightweight and easy-to-use platform for small to medium scale workloads. As a result, some features that you are used to with AWS's regular services (S3 Buckets and using CloudFront Origin Access Identities) are not available with Lightsail.
     
At this time, there is no way to block direct access to your Lightsail bucket while simultaneously serving it's content as you would with S3 Buckets and an OAI. The only available permissions for Lightsail buckets are the ones you mentioned in your question: "All objects are private", "Individual objects can be made public and read-only", and "All objects are public and read-only".
     
Eric B

Lightsail S3 Bucket behind Lightsail Distribution

Relevant content