By using AWS re:Post, you agree to the Terms of Use

Restrict access to Cloudfront from ABL

0

My customer has an S3 with a Cloudfront in front. It also has their applications on EC2 with an ABL. He is asking me if its possible to restrict the access so only the ABL has access to Cloudfront.
Is that possible?

Edit: modify EKS for EC2

2 Answers
0

Thanks for the reply and yes, you are correct about ABL, I'm referring to ALB. I also made a mistake about the EKS it was an EC2, my bad.
Let me try to explain a little about the infra, sincerely it was already build so I'm working with what already exist.

We have an S3 with information push from another application.
A Cloudfront was added infront of the S3, because it securely deliver content with low latency and high transfer speeds.
There is a separate EC2 with an application running that needs to consume the information from the S3.
Infront of the EC2 there is an ALB.
They are not in the same VPC/Account.

Is it possible to restrict the access of Cloudfront to only accept the communication from ALB?

answered a month ago
  • ALB cannot be used as an outbound proxy. So in your case, based on what you have described, the ALB is the inbound load balancer for traffic coming to your EC2 servers. The EC2 servers in turn access files stored in S3 over Cloudfront. So the access from EC2 to Cloudfront won't be over the ALB. It will be over a NAT Gateway in your VPC to allow outbound internet access.

    If you want to allow access to Cloudfront only from the NAT Gateway, in that case you can use AWS WAF in front of Cloudfront because WAF allows IP based filtering - https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html, using which can either allow or deny traffic from some IP addresses.

    I would still like to avoid this complexity if possible and access S3 directly from the application running on your EC2 machines. It does not matter if S3 is in a different account. As long as the other account is part of your organization and not a third-party account, it should be possible as mentioned here - https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

    In that case, you should be able to use the VPC endpoint from your VPC where your EC2 machines are running to S3, to access s3 using the AWS network and not have to go through the internet over Cloudfront.

0

I am assuming you meant ALB (application load balancer) when you say ABL.

The flow is not very clear. Can you please elaborate with a detailed description of the flow.

Is the idea to allow restricted access to the S3 bucket only to the applications running on EKS? Why is Cloudfront needed in that case? They can use the IAM role for service accounts feature to allow the pods running on EKS to access the S3 bucket - https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html. There is also an example in this Support Knowledge Center article - https://aws.amazon.com/premiumsupport/knowledge-center/eks-restrict-s3-bucket/

You can also configure a VPC endpoint on the VPC in which your PODs are running to ensure that the traffic from your PODS to S3 goes over the Amazon network rather than over the Internet - https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html

Normally Cloudfront is in front of an ALB as Cloudfront helps lower the latency of access for remote clients either by caching static content or by providing a quicker path to the AWS network backbone from a nearby point of presence.

Some details of the application and the flow can help us provide the right guidance.

profile picture
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions