What is Amazon S3 Object Access?

Amazon S3 is one of the most popular AWS service organizations use, as it offers industry-leading scalability, data availability, security, and performance for object storage. S3 is utilized to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics.

One of the frequent use cases of Amazon S3 is for storing static media content. It works well together with CloudFront distribution, especially if the content needs to be delivered around the world. However, there is a common scenario wherein S3 objects are still being accessed via S3 URL despite being behind a CloudFront distribution. Some companies consider this a security risk, as S3 objects should only be accessed via CloudFront.

This kind of security risk can be resolved by using CloudFront’s Origin Access Control (OAC). It is a feature to easily secure S3 origins by permitting only designated CloudFront distributions to access S3 buckets.

For this article, we will demonstrate how to implement OAC to prevent directly accessing Amazon S3 URLs.

Let’s get started.

So we have an existing S3 bucket named tutorialsdojo-oac-s3-bucket with public read access. As you can see, the S3 is configured to be Publicly accessible.

Hence, the object tutorialsdojo-logo-blue.png can be accessed directly via S3 URL.

We do not want to access the S3 URL directly. Therefore we will prevent this by creating an Origin Access Control (OAC).

Step 1. Creating an Origin Access Control (OAC) in CloudFront

• In the AWS Management Console, go to CloudFront
  Under Security, click Origin access
  Click Create control setting

  

• Enter a Name (tutorialsdojo-oac-s3 for this example)
  Under Signing behavior, choose Sign requests (recommended)
  Make sure the Origin type is S3
  Click Create when done

  

• This will create the OAC
  Now it’s time to create the distribution

  

Step 2. Creating the CloudFront Distribution

• In CloudFront, go to Distributions
  Click Create distribution

  

• Under the Origin domain, make sure to choose the target S3 bucket
  (for this example tutorialsdojo-oac-s3-bucket)

  

• In Origin access, choose Origin access control settings (recommended)
  Under Origin access control, choose the OAC we create in Step 1 (tutorialsdojo-oac-s3)

  

• Leave default, then scroll down
  Click Create distribution

  

• This will create the distribution
  The next step is to update the S3 bucket policy of the target S3 bucket.
  Click Copy policy

  

  I’ve also provided the bucket policy template that allows read access to the CloudFront OAC
  Make sure to replace:
  <S3 bucket name>
  <AWS account ID>
  <CloudFront distribution ID>

Step 3. Updating S3 Bucket Policy to complete the CloudFront OAC setup

• Go to the target S3 Bucket (tutorialsdojo-oac-s3-bucket) > Permissions
  Under Bucket policy, click Edit

  

• Replace the bucket policy with the one we copied in Step 2
  This policy will allow OAC read access to the bucket
  Click Save changes

  

• As you can see, the Publicly accessible is now gone in the S3 bucket

  

• Now it’s time to test if the S3 object can be accessed via CloudFront distribution
  Go to CloudFront > Distributions
  Find the distribution created in Step 2
  Copy the Domain name

  

• Open a browser
  Paste the Domain name, then append it with the S3 object name
  For this example d2ayw4ao397dvu.cloudfront.net/tutorialsdojo-logo-blue.png
  As you can see, the S3 object can be accessed via CloudFront

  

• Now let’s try via S3 URL
  For this example tutorialsdojo-oac-s3-bucket.s3.ap-southeast-1.amazonaws.com/tutorialsdojo-logo-blue.png
  As expected, the S3 object cannot be accessed directly via S3 URL

  

The setup is complete. This will ensure that the S3 objects can only be accessed via CloudFront.

So you might be wondering, CloudFront already has an Origin Access Identity (OAI) that offers the similar feature of restricting S3 access to only CloudFront. What’s the difference between OAC to OAI?

Origin Access Control (OAC) improves upon Origin Access Identity (OAI) by strengthening security and deepening feature integrations. Origin Access Control provides a stronger security posture with short-term credentials and more frequent credential rotations than Origin Access Identity. With Origin Access Control, customers can create granular policy configurations through resource-based policies, which provides better protection against confused deputy attacks. Customers can use Origin Access Control to fetch and put data into S3 origins in regions that require SigV4. In addition, Origin Access Control allows customers to use SSE-KMS with their S3 origins, which was not possible using Origin Access Identity.