Using Origin Access Control (OAC) to Secure S3 Object Access to CloudFront

Home » AWS » Using Origin Access Control (OAC) to Secure S3 Object Access to CloudFront

Using Origin Access Control (OAC) to Secure S3 Object Access to CloudFront

Last updated on April 26, 2023

What is Amazon S3 Object Access?

Amazon S3 is one of the most popular AWS service organizations use, as it offers industry-leading scalability, data availability, security, and performance for object storage. S3 is utilized to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics.

One of the frequent use cases of Amazon S3 is for storing static media content. It works well together with CloudFront distribution, especially if the content needs to be delivered around the world. However, there is a common scenario wherein S3 objects are still being accessed via S3 URL despite being behind a CloudFront distribution. Some companies consider this a security risk, as S3 objects should only be accessed via CloudFront.

This kind of security risk can be resolved by using CloudFront’s Origin Access Control (OAC). It is a feature to easily secure S3 origins by permitting only designated CloudFront distributions to access S3 buckets.

For this article, we will demonstrate how to implement OAC to prevent directly accessing Amazon S3 URLs.

Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront

Let’s get started.

So we have an existing S3 bucket named tutorialsdojo-oac-s3-bucket with public read access. As you can see, the S3 is configured to be Publicly accessible.

Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront

Hence, the object tutorialsdojo-logo-blue.png can be accessed directly via S3 URL.

Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront

We do not want to access the S3 URL directly. Therefore we will prevent this by creating an Origin Access Control (OAC).

Tutorials dojo strip

 

Step 1. Creating an Origin Access Control (OAC) in CloudFront

  • In the AWS Management Console, go to CloudFront
    Under Security, click Origin access
    Click Create control setting

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • Enter a Name (tutorialsdojo-oac-s3 for this example)
    Under Signing behavior, choose Sign requests (recommended)
    Make sure the Origin type is S3
    Click Create when done

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • This will create the OAC
    Now it’s time to create the distribution

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront

Step 2. Creating the CloudFront Distribution

  • In CloudFront, go to Distributions
    Click Create distribution

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • Under the Origin domain, make sure to choose the target S3 bucket
    (for this example tutorialsdojo-oac-s3-bucket)

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • In Origin access, choose Origin access control settings (recommended)
    Under Origin access control, choose the OAC we create in Step 1 (tutorialsdojo-oac-s3)

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • Leave default, then scroll down
    Click Create distribution

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • This will create the distribution
    The next step is to update the S3 bucket policy of the target S3 bucket.
    Click Copy policy

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront

    I’ve also provided the bucket policy template that allows read access to the CloudFront OAC
    Make sure to replace:
    <S3 bucket name>
    <AWS account ID>
    <CloudFront distribution ID>

 

Step 3. Updating S3 Bucket Policy to complete the CloudFront OAC setup

  • Go to the target S3 Bucket (tutorialsdojo-oac-s3-bucket) > Permissions
    Under Bucket policy, click Edit

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • Replace the bucket policy with the one we copied in Step 2
    This policy will allow OAC read access to the bucket
    Click Save changes

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • As you can see, the Publicly accessible is now gone in the S3 bucket

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • Now it’s time to test if the S3 object can be accessed via CloudFront distribution
    Go to CloudFront > Distributions
    Find the distribution created in Step 2
    Copy the Domain name

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • Open a browser
    Paste the Domain name, then append it with the S3 object name
    For this example d2ayw4ao397dvu.cloudfront.net/tutorialsdojo-logo-blue.png
    As you can see, the S3 object can be accessed via CloudFront

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront
  • Now let’s try via S3 URL
    For this example tutorialsdojo-oac-s3-bucket.s3.ap-southeast-1.amazonaws.com/tutorialsdojo-logo-blue.png
    As expected, the S3 object cannot be accessed directly via S3 URL

    Using Origin Access Control (OAC) to secure S3 Object Access to CloudFront

The setup is complete. This will ensure that the S3 objects can only be accessed via CloudFront.

So you might be wondering, CloudFront already has an Origin Access Identity (OAI) that offers the similar feature of restricting S3 access to only CloudFront. What’s the difference between OAC to OAI?

Origin Access Control (OAC) improves upon Origin Access Identity (OAI) by strengthening security and deepening feature integrations. Origin Access Control provides a stronger security posture with short-term credentials and more frequent credential rotations than Origin Access Identity. With Origin Access Control, customers can create granular policy configurations through resource-based policies, which provides better protection against confused deputy attacks. Customers can use Origin Access Control to fetch and put data into S3 origins in regions that require SigV4. In addition, Origin Access Control allows customers to use SSE-KMS with their S3 origins, which was not possible using Origin Access Identity.

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Amiel Palacol

Amiel is a Solutions Architect based in the Philippines. He has a solid hands-on experience in Amazon Web Services (AWS) and loves broadening his technical horizons in the cloud. An AWS Community Builder who currently holds 6 AWS Certifications. He is also Microsoft and Oracle certified. Outside tech, he loves coffee, games, and music.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?