Tech Tips

How can I use CloudFront to limit access to an Amazon S3 bucket?

Amazon CloudFront is an Amazon Web Services content delivery network. Content delivery networks (CDNs) are a worldwide distributed network of proxy servers that cache content, such as online videos or other large files, closer to customers, boosting download speeds.

Before you set up the restriction, make sure the CloudFront distribution’s S3 origin is set up as a REST API endpoint (VELAN-.s3.amazonaws.com). The following approach does not apply to S3 origins set up as website endpoints (VELAN-.s3-website-us-east-1.amazonaws.com).

Making a CloudFront ORIGIN ACCESS IDENTITY and putting it in the Distribution 

Let’s have a look at how to build an Amazon CloudFront origin access identity and distribute it:

1. Log in to the CloudFront management console.
2. Select the ID of a distribution that serves content from the S3 bucket that you want to restrict access to from the list of distributions.
3. Select the Origins and Origin Groups tab from the drop-down menu.
4. Select the check box next to the S3 origin, then select Edit.
5. Select Yes for Restrict Bucket Access.
6. Choose to Create a New Identity or Use an Existing Identity for Origin Access Identity (ORIGIN ACCESS IDENTITY).

Choose to Use an Existing Identity if an ORIGIN ACCESS IDENTITY already exists. Then, under the Identities list, select the ORIGIN ACCESS IDENTITY.

Choose to Create a New Identity to create an ORIGIN ACCESS IDENTITY. Then, in the Comment section, replace the bucket name with a custom description.

7. Select Yes, Update Bucket Policy for Grant Read Permissions on Bucket.

Note: This step alters the S3 origin’s bucket policy to allow ORIGIN ACCESS IDENTITY

access to s3:

GetObject

8. Then select Yes, Edit from the drop-down menu.

Examine your bucket policy.

1. Go to the Amazon S3 console and log in.
2. Select the bucket that is the origin of the CloudFront distribution from the list of buckets.
3. Navigate to the Permissions tab.
4. Choose on a bucket policy.
5. Verify that a statement similar to the following is included in the Bucket policy editor:

{

                    “Sid”: “1”,

                    “Effect”: “Allow”,

                    “Principal”: {

                                         “AWS”: “arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX”

                                         },

                    “Action”: “s3:GetObject”,

                    “Resource”: “arn:aws:s3:::VELAN-/*”

}

When we choose Yes, Update Bucket Policy as part of the ORIGIN ACCESS IDENTITY setup, CloudFront adds this statement to our bucket policy.

6. Check the bucket policy for any sentences that include the word “effect”: “Deny” prohibits the CloudFront ORIGIN ACCESS IDENTITY from accessing the bucket. Change those statements to allow the CloudFront ORIGIN ACCESS IDENTITY to access the bucket’s objects.
7. Check the bucket policy for any “Effect”: “Allow” statements that allow access to the bucket from any source other than the CloudFront ORIGIN ACCESS IDENTITY. We can change those statements to suit our needs.
8. Also, if you’re using object ACLs to govern permissions, double-check that those files aren’t accessible outside of the CloudFront ORIGIN ACCESS IDENTITY by reviewing the object ACLs.We may optionally add another degree of security by using the AWS web application firewall after restricting access to the S3 bucket using the CloudFront ORIGIN ACCESS IDENTITY.

At Velan, our server support engineers can helpto setup the restriction to access S3 buckets through cloudfront. If you are interested in our service, please fill the Quick connect form to get in touch with us.