How do I use my CloudFront distribution to restrict access to an Amazon S3 bucket?

Resolution

Important: Before you begin, be sure that the Amazon S3 origin of your CloudFront distribution is configured as a REST API endpoint. For example, AWSDOC-EXAMPLE-BUCKET.s3.amazonaws.com. This resolution doesn't apply to S3 origins that are configured as a website endpoint. For example, AWSDOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com. For more information, see How do I use CloudFront to serve a static website hosted on Amazon S3?

Option 1 (Best practice): Create a CloudFront origin access control (OAC)

1. Open the CloudFront console.
2. From the list of distributions, choose the distribution that serves content from the S3 bucket that you want to restrict access to.
3. Choose the Origins tab.
4. Select the S3 origin, and then choose Edit.
5. For Origin Access, select Origin access control settings (recommended).
6. For Origin access control, select an existing OAC, or choose the Create Control setting.
7. In the dialogue box, name your control setting. It's a best practice to keep the default setting as Sign requests (recommended). Then, choose Create.
8. For S3 bucket Access, apply the bucket policy on the S3 bucket. Select Copy policy, and then select Save.
9. Select Go to S3 bucket permissions to take you to the S3 bucket console.
10. Select Save Changes.
11. In the Amazon S3 console, from your list of buckets, choose the bucket that's the origin of the CloudFront distribution.
12. Choose the Permissions tab.
13. Under Bucket Policy, confirm that you see a statement similar to the following:

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE"
            }
        }
    }
}

You must add the preceding statement to allow CloudFront OAC to read objects from your bucket.

Note: After you restrict access to your bucket using the CloudFront OAC, you have the option to add another layer of security by integrating AWS WAF.

Option 2: Create a legacy CloudFront origin access identity (OAI)

1. Open the CloudFront console.
2. From the list of distributions, choose the distribution that serves content from the S3 bucket that you want to restrict access to.
3. Choose the Origins tab.
4. Select the S3 origin, and then choose Edit.
5. For Origin Access, select Legacy access identities.
6. In the Origin access identity dropdown list, select the origin access identity name, or choose Create new OAI.
7. In the dialog box, name your new origin access identity, and choose Create.
8. For Bucket policy, select Yes, update the bucket policy.
9. Choose Save Changes.
10. In the Amazon S3 console,from your list of buckets, Choose the bucket that's the origin of the CloudFront distribution.
11. Choose the Permissions tab.
12. Under Bucket Policy, confirm that you see a statement similar to the following:

{{

"Sid": "1",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX"

},

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"

}

Note: Review your bucket policy for any statements with "Effect": "Deny" that prevent access to the bucket from the CloudFront OAI. Modify those statements so that the CloudFront OAI can access objects in the bucket.

Also, review your bucket policy for any statements with "Effect": "Allow" that allow access to the bucket from any source that's not the CloudFront OAI. Modify those statements as required by your use case.

Related information

Creating a distribution

Identity and access management in Amazon S3