Wondering ‘how to restrict access to an Amazon S3 bucket using CloudFront’? We can help you with this!
If you are using an Amazon S3 bucket, you can either allow everyone to have access to the files there, or you can restrict access to protect against various types of attacks with the help of CloudFront.
Here, at Bobcares, we often receive a lot of requests from our AWS customers to restrict access to the S3 bucket using CloudFront as part of our AWS Support Services.
Today, let’s see how our Support Techs help the customers to restrict access to an Amazon S3 bucket using CloudFront.
How to restrict access to an Amazon S3 bucket using CloudFront
Before setting up the restriction, make sure that the S3 origin of CloudFront distribution is configured as a REST API endpoint (AWSDOC-EXAMPLE-BUCKET.s3.amazonaws.com).
The following resolution doesn’t apply to S3 origins that are configured as a website endpoint (AWSDOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com).
Creating a CloudFront OAI and adding it to Distribution
Let’s see how our Support Techs create a CloudFront origin access identity and adding it to distribution:
1. Sign in to the CloudFront console.
2. From the list of distributions, Choose the ID of a distribution that serves content from the S3 bucket that wants to restrict access to.
3. Choose the Origins and Origin Groups tab.
4. Choose the check box next to the S3 origin, and then choose Edit.
5. For Restrict Bucket Access, choose Yes.
6. For Origin Access Identity(OAI), select either Create a New Identity or Use an Existing Identity.
If there is already an OAI, choose to Use an Existing Identity. Then choose the OAI in the Identities list.
To create an OAI, choose to Create a New Identity. Then replace the bucket name in the Comment field with a custom description.
7. For Grant Read Permissions on Bucket, select Yes, Update Bucket Policy.
Note: This step updates the bucket policy of the S3 origin to grant the OAI access for s3:GetObject
8. Then choose Yes, Edit.
Review the bucket policy
1. Open the Amazon S3 console.
2. Then from the list of buckets, choose the bucket that’s the origin of the CloudFront distribution.
3. Choose the Permissions tab.
4. Choose Bucket Policy.
5. In the Bucket policy editor, confirm that there is a statement similar to the following:
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
}
This is the statement that CloudFront adds to our bucket policy when we select Yes, Update Bucket Policy as part of the OAI setup.
6. Review the bucket policy for any statements with “Effect”: “Deny” that prevents access to the bucket from the CloudFront OAI. Modify those statements so that the CloudFront OAI can access objects in the bucket.
7. Also review the bucket policy for any statements with “Effect”: “Allow” that allows access to the bucket from any source that’s not the CloudFront OAI. We can modify those statements as per our requirements.
8. Also note that If using object ACLs to manage permissions, then make sure to review the object ACLs to be sure that those files aren’t accessible outside of the CloudFront OAI.
After restricting access to the S3 bucket using the CloudFront OAI, we can also optionally add another layer of security by using the AWS web application firewall.
[Need assistance with more AWS queries? We can help you]
Conclusion
In short, today we saw how our Support Techs restrict access to an Amazon S3 bucket using CloudFront.
0 Comments