Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure OAC for CloudFront distributions with Amazon S3 origins and migrate from OAI?

4 minute read
0

I want to configure Origin Access Control (OAC) for my Amazon CloudFront distributions that have Amazon Simple Storage Service (Amazon S3) bucket origins. I also want to migrate from Origin Access Identity (OAI) to OAC.

Short description

OAC and OAI are CloudFront security features that help you secure your Amazon S3 bucket origins. OAC and OAI restrict access to S3 buckets, and you can access only through the CloudFront distributions that you configure.

Note: It's a best practice to use OAC instead of OAI. For more information, see Restrict access to an Amazon S3 origin.

Resolution

Create OAC in the CloudFront console

To configure OAC for a CloudFront distribution with an Amazon S3 bucket origin, complete the following steps:

  1. Open the CloudFront console.
  2. In the navigation pane, expand Security, and then choose Origin access.
  3. Choose Create control setting.
  4. From the Create new OAC form, complete the following:
    Enter a Name for the OAC.
    (Optional) Enter a Description for the OAC.
    For Signing behavior, keep the default setting as Sign requests (recommended).
    Choose the Origin type dropdown list, and choose S3.
  5. Choose Create.

For more information, see Create the origin access control.

Add the OAC to an S3 origin in a distribution

Complete the following steps:

  1. Open the CloudFront console.
  2. In the navigation pane, choose Distributions, and then select the distribution with an S3 origin.
  3. Choose the Origins tab, and then select the origin name that you want to add the OAC to.
  4. Choose Edit, and then choose Origin access control settings (recommended).
  5. Choose the Origin access control dropdown list, and then select the OAC that you created in the preceding section.
  6. Choose Save changes.

Update the S3 bucket policy

To allow the CloudFront distribution to use OAC to access the S3 bucket, update the bucket policy:

  1. Open the Amazon S3 console.

  2. In the navigation pane, choose General purpose buckets.

  3. Choose the S3 bucket, and then choose the Permissions tab.

  4. In Bucket policy, choose Edit.

  5. In the Policy edit statement, attach the following policy:

    {
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::YOUR_AWS_ACCOUNT_ID:distribution/YOUR_DISTRIBUTION_ID"
            }
        }
    }
}

    Note: Replace YOUR_BUCKET_NAME, YOUR_AWS_ACCOUNT_ID, and YOUR_DISTRIBUTION_ID with your variables.

  6. Choose Save changes.

(Optional) Migrate OAI to OAC

If you use OAI to restrict access to your S3 bucket origin and want to migrate to OAC, complete the following steps:

  1. Follow the steps in the Create an OAC in the CloudFront console section.

  2. Open the Amazon S3 console.

  3. In the navigation pane, choose General purpose buckets.

  4. Choose the S3 bucket, and then choose the Permissions tab.

  5. In Bucket policy, choose Edit.

  6. In the Policy edit statement, attach the following policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipalReadOnly",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::YOUR_AWS_ACCOUNT_ID:distribution/YOUR_DISTRIBUTION_ID"
                }
            }
        },
        {
            "Sid": "AllowLegacyOAIReadOnly",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity YOUR_ORIGIN_ACCESS_IDENTITY_ID"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        }
    ]
}

    Note: Replace YOUR_BUCKET_NAME, YOUR_AWS_ACCOUNT_ID, YOUR_DISTRIBUTION_ID, and YOUR_ORIGIN_ACCESS_IDENTITY_ID with your variables.

  7. Choose Save changes.

  8. Open the CloudFront console.

  9. In the navigation pane, choose Distributions, and then select the distribution that you want to attach the OAC to.

  10. Choose the Origins tab, choose your origins name, and then choose Edit.

  11. For Origin access, choose Origin access control settings (recommended).

  12. Choose the Origin access control dropdown list, and then select the OAC that you want to use.

  13. Choose Save changes.

After the distribution is fully deployed, you can update the S3 bucket policy to remove the statement related to OAI.

For more information, see Migrating from origin access identity (OAI) to origin access control (OAC).

Related information

Restrict access to an Amazon S3 origin

Blocking public access to your Amazon S3 storage

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
AWS OFFICIALUpdated a month ago
No comments

Relevant content