CloudFront + S3 Static Hosting .. Use Website Endpoint OR REST API with OAC

0

Hi,

Today is my first time configuring a static web site on S3.

  1. I setup a S3 Bucket with Static Hosting enabled, Public Access Enabled, Bucket policy that allows access
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxx/*"
        }
    ]
}

I tested it and website works.

Now i want to add CloudFront + ACM. So i generate my certificate on ACM and Configure CloudFront

when i am adding the Origin for my bucket it gives the Below Recommendation

This S3 bucket has static web hosting enabled. If you plan to use this distribution as a website, we recommend using the S3 website endpoint rather than the bucket endpoint.

But in my reading and understanding, i want to follow the approach of keeping my bucket private and only allowing access from CF OAC.

What is the different between both approaches ? it seems if i use the website endpoint then i cannot make the S3 bucket private, as people will be able to access it directly without CF too.

I see that there are multiple options

  1. Use a REST API endpoint as the origin, and restrict access with an origin access control (OAC) or origin access identity (OAI) Note: It's a best practice to use origin access control (OAC) to restrict access. Origin access identity (OAI) is a legacy method for this process.
  2. Use a website endpoint as the origin, and allow anonymous (public) access
  3. Use a website endpoint as the origin, and restrict access with a Referer header
  4. Use AWS CloudFormation to deploy a static website endpoint as the origin, and custom domain pointing to CloudFront

Which one is the recommended. it seems to keep the Bucket Private i can use either 1 or 3 ? But still confused as to which the recommended approach

2 Answers
0

Hello.

Use a REST API endpoint as the origin, and restrict access with an origin access control (OAC) or origin access identity (OAI) Note: It's a best practice to use origin access control (OAC) to restrict access. Origin access identity (OAI) is a legacy method for this process.

I would choose 1.
The reason is that Rest API endpoints, unlike website endpoints, can use SSL connections, so secure connections can be made.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html#WebsiteRestEndpointDiff

Additionally, by using OAC, it is possible to configure S3 bucket policies to block connections other than those via CloudFront.
Restrictions via CloudFront can also be done using the Referer header, but this has the disadvantage that anyone can access it if the header value is leaked.
Therefore, I think that control using OAC is better.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Static website hosting on S3 exposes your website over HTTP.
Additionally, you need to set the domain to be the same as the bucket name, and it is not as scalable as using CloudFront.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/getting-started-s3.html

profile picture
EXPERT
answered a month ago
  • Yeah after digging through it seems to be the best option. My point why DOES console RECOMMEND and one-click steer you to Website Endpoint. When it is displayed like this makes the user assume this is the BEST choice. whereas technically it is not. Having a CF Distro infront of S3 should always default to bucket not being accessible directly. OAC should be the recommended option

    My Q was am i missing something in my understanding and does the WebSite Endpoint offer something EXTRA that i am not aware of and hence AWS Recommends it

  • I setup a S3 Bucket with Static Hosting enabled, Public Access Enabled, Bucket policy that allows access

    It may be recommended in the management console because you have enabled static website hosting here. My UI does not recommend using website endpoints.

  • I encourage you to provide feedback on the UI.
    a

    a

0

Enter image description here

Even if static website hosting is enabled on S3 Bucket, OAC still is a more secure option...

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions