Closing the loophole between S3 and Cloudfront

Subscribe to my newsletter and never miss my upcoming articles

In our previous post we talked about the loophole that people till can access S3 directly

image.png

In order to stop direct access to S3 and to force users to come only via Cloudfront endpoint, AWS offers the solution called OAI (Origin Access Identity)

The Solution looks something like below

image.png

Let's see how to achieve the above

Step 1: Edite Distribution settings

image.png

Step 2: Edite Distribution settings

Under Origin and Groups edit your origin

image.png

Step3: Modify below and choose Yes Edit

image.png

Result

Now you could see new OAI been created

image.png

and that OAI is auto mapped to your origin in distribution

image.png

You can also see the bucket policy of S3 is autoupdated

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EJYAJYJ58MABE"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::tp123456/*"
        }
    ]
}

Fun fact 😀 : The object in S3 need not to be set as public, still, it can be accessed via Cloudfront


Hope you find this useful. Give 👍 for more posts from us. We also run a youtube channel TechPechu in Tamil( Indian regional Language) do subscribe as moral support! 😀

No Comments Yet