To restrict S3 access only from CloudFront

So everyone is using S3 REST API endpoint as the origin to CloudFront,they can restrict access to S3 from CloudFront only by setting up an OAI. So this is special CloudFront user, which they will associate with their distribution.

They can then add permissions on S3 buckets,or the objects in an S3 buckets, to allow access only to this OAI. when the users access the S3 objects through CloudFront,the OAI gets the object on behalf of the users. If users try to access the S3 URL directly, their access is denied

This makes surethat the client can access objects in the S3 bucket, but only by CloudFront. This is an additional layer of security, and customers can control traffic by integreating WAF with CloudFront to secure their website

So lets start.

So to create orgin access CloudFront identity using the CloudFront console lets login to aws management console

Then go to cloudfront console and select the Distribution id you want to add origin access identity

Then change to edit mode and choose the orgin tab and select the sd origin that you want to edit.

Click Edit

For restrict Bucket Access select yes

If u already have an origin access identity you can choose the existing identity or you can create a new one.

Here we are using the existing identity, To have cloud front automatically update origin access identity permission to read the objects in the se bucket specified in the origin domain name, Choose Yes, update Bucket policy

Then click yes edit

Now we can check the bucket policy are updated.

To do that   open S3 console,

click the S3 bucket which is the origin to the CloudFront distribution, Select the permission tab and choose bucket policy there we can see.

So let’s test it in the real-time by accessing the S3 object from the CloudFront URL

Go to the coludfront management console click on the General tab and select the Domain name

Copy and paste the Domain name to a new tab, To access the S3 object type hello.html.

So we can see that access is working fine with CloudFront url.

Now lets access the S3 object by directly accessing the S3  URL

To do that go to the S3 management console, Click on the overview,we can see hello.html

Click on that we will get the S3 object link. oping its on a new tab we can see an access denied error

So the user will have an access to the S3 object only through the CloudFront URL

Leave a Reply

Your email address will not be published. Required fields are marked *