- Newest
- Most votes
- Most comments
Hello.
Use a REST API endpoint as the origin, and restrict access with an origin access control (OAC) or origin access identity (OAI) Note: It's a best practice to use origin access control (OAC) to restrict access. Origin access identity (OAI) is a legacy method for this process.
I would choose 1.
The reason is that Rest API endpoints, unlike website endpoints, can use SSL connections, so secure connections can be made.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html#WebsiteRestEndpointDiff
Additionally, by using OAC, it is possible to configure S3 bucket policies to block connections other than those via CloudFront.
Restrictions via CloudFront can also be done using the Referer header, but this has the disadvantage that anyone can access it if the header value is leaked.
Therefore, I think that control using OAC is better.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
Static website hosting on S3 exposes your website over HTTP.
Additionally, you need to set the domain to be the same as the bucket name, and it is not as scalable as using CloudFront.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/getting-started-s3.html
Even if static website hosting is enabled on S3 Bucket, OAC still is a more secure option...
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
Yeah after digging through it seems to be the best option. My point why DOES console RECOMMEND and one-click steer you to Website Endpoint. When it is displayed like this makes the user assume this is the BEST choice. whereas technically it is not. Having a CF Distro infront of S3 should always default to bucket not being accessible directly. OAC should be the recommended option
My Q was am i missing something in my understanding and does the WebSite Endpoint offer something EXTRA that i am not aware of and hence AWS Recommends it
It may be recommended in the management console because you have enabled static website hosting here. My UI does not recommend using website endpoints.
I encourage you to provide feedback on the UI.