To restrict S3 access only from CloudFront
So everyone is using S3 REST API endpoint as the origin to CloudFront,they can restrict access to S3 from CloudFront only by setting up an OAI. So this is special CloudFront user, which they will associate with their distribution.
They can then add permissions on S3 buckets,or the objects in an S3 buckets, to allow access only to this OAI. when the users access the S3 objects through CloudFront,the OAI gets the object on behalf of the users. If users try to access the S3 URL directly, their access is denied
This makes surethat the client can access objects in the S3 bucket, but only by CloudFront. This is an additional layer of security, and customers can control traffic by integreating WAF with CloudFront to secure their website
So lets start.
So to create orgin access CloudFront identity using the CloudFront console lets login to aws management console
Then go to cloudfront console and select the Distribution id you want to add origin access identity
Then change to edit mode and choose the orgin tab and select the sd origin that you want to edit.
For restrict Bucket Access select yes
If u already have an origin access identity you can choose the existing identity or you can create a new one.
Here we are using the existing identity, To have cloud front automatically update origin access identity permission to read the objects in the se bucket specified in the origin domain name, Choose Yes, update Bucket policy
Then click yes edit
Now we can check the bucket policy are updated.
To do that open S3 console,
click the S3 bucket which is the origin to the CloudFront distribution, Select the permission tab and choose bucket policy there we can see.
So let’s test it in the real-time by accessing the S3 object from the CloudFront URL
Go to the coludfront management console click on the General tab and select the Domain name
Copy and paste the Domain name to a new tab, To access the S3 object type hello.html.
So we can see that access is working fine with CloudFront url.
Now lets access the S3 object by directly accessing the S3 URL
To do that go to the S3 management console, Click on the overview,we can see hello.html
Click on that we will get the S3 object link. oping its on a new tab we can see an access denied error
So the user will have an access to the S3 object only through the CloudFront URL