Question

I want to put a Cloudfront CDN in front of a S3 website bucket for a static website, and restrict read access of the bucket to the Cloudfront distribution. Pretty common, and documented by AWS and other sources. But for some reason I can’t get it to work.

And I’m not the first one to stumble upon this. (1, 2, 3). I’ve tried the solutions posted there, but again, no luck.

I also tried tweaking values in PublicAccessBlockConfiguration and AccessControl and tried uploading bucket content with aws s3 sync … --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers.

But I always end up with either public S3 content, or content being unavailable via Cloudfront as well.

Does anybody have an idea what else I could try?

Answer 1

Make a CloudFront access identity for origin access (OAI)

1. Log in to CloudFront's management console.

2. Select the distribution that serves material from the S3 bucket to which access should be restricted from the list of distributions.

3. Select the Origins option from the drop-down menu.

4. Choose Edit and then select the S3 origin.

5. Select Yes to use OAI for S3 bucket access (bucket can restrict access to only CloudFront).

6. Choose an existing identity from the selection list or create a new OAI for Origin access identity.

7. Select Yes to update the bucket policy in the Bucket policy section.
Note: This step modifies your S3 origin's bucket policy to grant OAI access to the following buckets:
GetObject.

Select Save Changes from the drop-down menu.

If you need to know more about Cloud Computing, We recommend joining Cloud Computing Certification today.