Closing the loophole between S3 and Cloudfront

Subscribe to my newsletter and never miss my upcoming articles

In our previous post we talked about the loophole that people till can access S3 directly


In order to stop direct access to S3 and to force users to come only via Cloudfront endpoint, AWS offers the solution called OAI (Origin Access Identity)

The Solution looks something like below


Let's see how to achieve the above

Step 1: Edite Distribution settings


Step 2: Edite Distribution settings

Under Origin and Groups edit your origin


Step3: Modify below and choose Yes Edit



Now you could see new OAI been created


and that OAI is auto mapped to your origin in distribution


You can also see the bucket policy of S3 is autoupdated

    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EJYAJYJ58MABE"
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::tp123456/*"

Fun fact 😀 : The object in S3 need not to be set as public, still, it can be accessed via Cloudfront

Hope you find this useful. Give 👍 for more posts from us. We also run a youtube channel TechPechu in Tamil( Indian regional Language) do subscribe as moral support! 😀

No Comments Yet