S3 Pre-signed URLs vs CloudFront Signed URLs vs Origin Access Identity (OAI) vs Origin Access Control (OAC)

Home » AWS Cheat Sheets » AWS Comparison of Services » S3 Pre-signed URLs vs CloudFront Signed URLs vs Origin Access Identity (OAI) vs Origin Access Control (OAC)

S3 Pre-signed URLs vs CloudFront Signed URLs vs Origin Access Identity (OAI) vs Origin Access Control (OAC)

Last updated on August 30, 2023

Tutorials dojo strip

 

S3 Pre-signed URLs CloudFront Signed URLs Origin Access Identity (OAI) Origin Access Control (OAC)
  • All S3 buckets and objects by default are private. Only the object owner has permission to access these objects. Pre-signed URLs use the owner’s security credentials to grant others time-limited permission to download or upload objects.

  • When creating a pre-signed URL, you (as the owner) need to provide the following:

    • Your security credentials

    • An S3 bucket name

    • An object key

    • Specify the HTTP method (GET to download the object or PUT to upload an object)

    • Expiration date and time of the URL.
  • You can control user access to your private content in two ways

    • Restrict access to files in CloudFront edge caches

    • Restrict access to files in your Amazon S3 bucket (unless you’ve configured it as a website endpoint)

  • You can configure CloudFront to require that users access your files using either signed URLs or signed cookies. You then develop your application either to create and distribute signed URLs to authenticated users or to send Set-Cookie headers that set signed cookies on the viewers for authenticated users.

  • When you create signed URLs or signed cookies to control access to your files, you can specify the following restrictions:

    • An expiration date and time for the URL

    • (Optional) The date and time the URL becomes valid

    • (Optional) The IP address or range of addresses of the computers that can be used to access your content

  • You can use signed URLs or signed cookies for any CloudFront distribution, regardless of whether the origin is an Amazon S3 bucket or an HTTP server.
  • You can configure an S3 bucket as the origin of a CloudFront distribution. OAI prevents users from viewing your S3 files by simply using the direct URL for the file. Instead, they would need to access it through a CloudFront URL.

  • To require that users access your content through CloudFront URLs, you perform the following tasks:

    • Create a special CloudFront user called an origin access identity.

    • Give the origin access identity permission to read the files in your bucket.

    • Remove permission for anyone else to use Amazon S3 URLs to read the files (through bucket policies or ACLs).

  • You cannot set OAI if your S3 bucket is configured as a website endpoint.
  • A more preferred way (compared with OAI) to restrict access to an Amazon S3 origin

 

  • Enables CloudFront customers to easily secure their Amazon S3 Origins by permitting only designated CloudFront distributions to access their Amazon S3 buckets

 

  • AWS Signature Version 4 (SigV4) can be enabled on Amazon CloudFront requests to Amazon S3 buckets with the ability to set if the Amazon service CloudFront should sign requests or not, as well as when a particular request will be signed. 

 

  • Server-side Encryption with AWS KMS keys (SSE-KMS) can also be enabled when performing uploads and downloads through the Amazon CloudFront distribution.

 

References:

https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?