Serving website from Cloudfront and S3 without public bucket

amazon-web-services amazon-s3 amazon-cloudfront
6,160

You will want to setup Origin Access Identity. This allows you to keep your bucket private and only allow access thru CloudFront. This is very easy to setup. I have included a link to walk you thru the steps and to help you understand everything. After setting up OAI delete the policy for your S3 bucket. Your S3 bucket is private and only provides access to users thru CloudFront.

Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content

Typically, if you're using an Amazon S3 bucket as the origin for a CloudFront distribution, you grant everyone permission to read the objects in your bucket. This allows anyone to access your objects either through CloudFront or using the Amazon S3 URL. CloudFront doesn't expose Amazon S3 URLs, but your users might have those URLs if your application serves any objects directly from Amazon S3 or if anyone gives out direct links to specific objects in Amazon S3.

Share:
6,160

Related videos on Youtube

Steve
Author by

Steve

Updated on September 18, 2022

Comments

  • Steve
    Steve over 1 year

    When serving a website via CloudFront from an S3 bucket, I would typically apply the following Bucket Policy to allow access to my files:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Public Access to All Objects",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::somewhere.example.com/*"
        }
    ]
}

    But Amazon have recently started showing this message (bold emphasis mine):

    We highly recommend that you never grant any kind of public access to your S3 bucket.

    The AWS documentation is very inconsistent with this advice, suggesting that only write access is an issue. I'm serving a website so obviously I'm quite happy giving public access to the files, particularly since directory listings are still not allowed.

    As of November 2017, what is the recommended way of connecting CloudFront to an S3 bucket, without giving any public access?

    • ceejayoz
      ceejayoz over 6 years
      (That said, if you don't mind folks bypassing CloudFront to get at the files on S3, this is just advice from Amazon. You can safely ignore it if you know what you're doing. In your case, it sounds like that'd be safe.)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Access to Font..has been blocked by CORS policy" on only one file
Is possible to reduce AWS data transfer costs using any other AWS resource?
Cache-Control not working in AWS S3 object Metadata
Redirect with CloudFront but changing URL
Problems with Gzip compression on Amazon CloudFront
AWS S3, CloudFront, web font CORS error
How to store a Cloudfront custom error page in S3?
Forcing CloudFront to pass-through the latest HTML file from S3
Amazon Cloudfront with S3. Access Denied
No Cache-Control Header for files from AWS CloudFront with S3 Origin