Bobcares

WeSupport

Call Us! 1-800-383-5193
Call Us! 1-800-383-5193
Call Us! 1-800-383-5193

AWS CloudFront


Restrict access to an Amazon S3 bucket using CloudFront

Wondering ‘how to restrict access to an Amazon S3 bucket using CloudFront’? We can help you with this!

If you are using an Amazon S3 bucket, you can either allow everyone to have access to the files there, or you can restrict access to protect against various types of attacks with the help of CloudFront.

Here, at Bobcares, we often receive a lot of requests from our AWS customers to restrict access to the S3 bucket using CloudFront as part of our AWS Support Services.

Today, let’s see how our Support Techs help the customers to restrict access to an Amazon S3 bucket using CloudFront.

 

How to restrict access to an Amazon S3 bucket using CloudFront

 

Before setting up the restriction, make sure that the S3 origin of CloudFront distribution is configured as a REST API endpoint (AWSDOC-EXAMPLE-BUCKET.s3.amazonaws.com).

The following resolution doesn’t apply to S3 origins that are configured as a website endpoint (AWSDOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com).

 

Creating a CloudFront OAI and adding it to Distribution

 

Let’s see how our Support Techs create a CloudFront origin access identity and adding it to distribution:

1.    Sign in to the CloudFront console.

2.    From the list of distributions, Choose the ID of a distribution that serves content from the S3 bucket that wants to restrict access to.

3.    Choose the Origins and Origin Groups tab.

4.    Choose the check box next to the S3 origin, and then choose Edit.

5.    For Restrict Bucket Access, choose Yes.

6.    For Origin Access Identity(OAI), select either Create a New Identity or Use an Existing Identity.

If there is already an OAI, choose to Use an Existing Identity. Then choose the OAI in the  Identities list.

To create an OAI, choose to Create a New Identity. Then replace the bucket name in the Comment field with a custom description.

7.    For Grant Read Permissions on Bucket, select Yes, Update Bucket Policy.
Note: This step updates the bucket policy of the S3 origin to grant the OAI access for s3:GetObject

8.    Then choose Yes, Edit.

 

Review the bucket policy

 

1.    Open the Amazon S3 console.

2.    Then from the list of buckets, choose the bucket that’s the origin of the CloudFront distribution.

3.    Choose the Permissions tab.

4.    Choose Bucket Policy.

5.    In the Bucket policy editor, confirm that there is a statement similar to the following:

{
	"Sid": "1",
	"Effect": "Allow",
	"Principal": {
		"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX"
		},
	"Action": "s3:GetObject",
	"Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
}

This is the statement that CloudFront adds to our bucket policy when we select Yes, Update Bucket Policy as part of the OAI setup.

6.    Review the bucket policy for any statements with “Effect”: “Deny” that prevents access to the bucket from the CloudFront OAI. Modify those statements so that the CloudFront OAI can access objects in the bucket.

7.    Also review the bucket policy for any statements with “Effect”: “Allow” that allows access to the bucket from any source that’s not the CloudFront OAI. We can modify those statements as per our requirements.

8. Also note that If using object ACLs to manage permissions, then make sure to review the object ACLs to be sure that those files aren’t accessible outside of the CloudFront OAI.

After restricting access to the S3 bucket using the CloudFront OAI, we can also optionally add another layer of security by using the AWS web application firewall.

[Need assistance with more AWS queries? We can help you]

 

Conclusion

 

In short, today we saw how our Support Techs restrict access to an Amazon S3 bucket using CloudFront.

How to fix ‘CloudFront serving outdated content from Amazon S3’

One of the most common queries we get from our AWS customers is something along the lines of “Why is their CloudFront serving outdated content?”.

CloudFront caches a response from Amazon S3 for 24 hours. If you request within that 24 hours, CloudFront returns the cached response even if you updated the content in Amazon S3.

Here, at Bobcares, we assist our customers with similar AWS queries as part of our AWS Support Services.

Today, let’s see how our Support Techs resolve this outdated content issue.

 

Why is CloudFront serving outdated content from Amazon S3?

 

Amazon CloudFront is a content delivery service offered by AWS that speeds up the distribution of static, dynamic web, or streaming content to end-users.

It delivers the content through a worldwide network of data centers called edge locations.

CloudFront caches a response from Amazon S3 for 24 hours(TTL of 86,400 seconds) by default. If your request lands at an edge location that served the Amazon S3 response within 24 hours, then CloudFront returns the cached response even if you updated the content in Amazon S3.

Our Support Engineers fix this outdated content issue by using any of the following methods.

  • Invalidate the S3 objects.
  • Use object versioning.

 

Methods to push the updated S3 content from CloudFront

 

Now let’s discuss in detail how both methods resolve outdated S3 content issues.

 

Invalidate the S3 objects

 

In this method, we can invalidate an S3 object to removes them from the CloudFront edge cache. After the object is removed from the cache, the next request retrieves the object directly from Amazon S3.

Consider the following points before proceeding with an invalidation:

    • We can run an invalidation only on a web distribution. That is we can’t invalidate a Real Time Messaging Protocol (RTMP) distribution.
    • CloudFront invalidates all versions of the object. That is we can’t invalidate a specific versions of an object that uses cookies or headers to vary the response.
    • Each AWS account is allowed 1,000 free invalidation paths per month. There is a price per invalidation path over 1,000 per month.

On creating an invalidation, our support techs noticed that we need to make sure the object paths meet the following requirements:

 

    • The first point we have noted is the object paths must be for individual objects or the paths must end with the wildcard character (*). That is if we use a path like /images/*.jpeg, we can’t run an invalidation because it is not for an individual object.
    • The next point is invalidation requests are case-sensitive. That is the specified path must exactly match the capitalization of the object’s path.
    • We can remove specific versions of an object by including QueryString in the invalidation path.
Steps to Invalidate the S3 objects

 

1. Log into AWS console.
2. Navigate to CloudFront service.
3. Select the CloudFront ID connected to the bucket.
4. Navigate into the CloudFront instance.
5. Go to the `Invalidations` tab.
6 ‘Create Invalidation’.
7. Click on ‘create navigation.
8. Enter the `Object Path`.
9. Finally click on ‘Invalidate’.

Object invalidations typically take from 60 to 300 seconds to complete. We can check the status of invalidation by viewing your distribution from the CloudFront console.

 

Use object versioning

 

If we are updating the S3 content frequently, the best way is to use the object versioning method to clear the CloudFront distribution’s cache.
Because it might cost less than using the invalidation method.

Our Support Techs add versioning to the objects by using any of the following methods.

  •  The first method is to store new versions of the object at the origin with the version number in the key name.

/image_v1.png to /image_v2.png

  •  The other method is to whitelist a query string with the object version, like the following query string:

/image.png?ver=1 to /image.png?ver=2

We can use a cache policy to specify which query strings are included in the cache key and origin requests.

 

Advantages and Disadvantages of object versioning Method

 

If we add the version to the object name, we can revert changes because the previous version of the object remains in Amazon S3 under the previous name. However, storing multiple versions of an object can increase your storage costs.

If we whitelist a query string with the object version, it can reduce your storage costs. but we can’t revert changes because the object is overwritten. So it’s a best practice to keep previous object versions offline.

[Looking for solutions for AWS queries? We can help you!]

 

Conclusion

In short, today we saw how our Support Techs resolves the outdated content issue in Amazon CloudFront.

Set up Amazon CloudFront with WordPress site – How we do it

Wondering how to set up Amazon CloudFront with WordPress site? We can help you.

One of the easiest ways to improve the user experience is to accelerate one’s entire WordPress website by using CloudFront.

This will improve the site’s responsiveness by reducing the load on web servers. CloudFront can be configured to accelerate a website regardless of the website being hosted on AWS.

Here at Bobcares, we often handle requests from our customers to set up Amazon CloudFront with WordPress site as a part of our Server Management Services.

Today let’s see the Steps that our Support Techs follow for the setup.

(more…)

How to setup AWS CloudFront and how it delivers content

Wondering how to setup AWS CloudFront? We can help you.

CloudFront retrieves data from the Amazon S3 bucket and distributes it to multiple datacenter locations. The data delivers through edge locations.

When we request data, the nearest edge location routes, resulting in the lowest latency, low network traffic, fast access to data, etc.

At Bobcares we assist our customers with several AWS queries as part of our AWS Support Services for AWS users, and online service providers.

Today, let us discuss how to setup AWS CloudFront

(more…)