Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to block the CloudFront root path from public access (S3 bucket fronted by CloudFront)?

0

We're using mTLS for AuthN and as part of that we have a CRL file that must be publicly accessible. We're following this guide and have our CRL file in an S3 bucket fronted by CloudFront.

Our CF URL is something like http://mycrlurl.cloudfront.net/ and the file can be downloaded at http://mycrlurl.cloudfront.net/mycrl

The issue is that http://mycrlurl.cloudfront.net/ is accessible and shows XML for the contents of the S3 bucket, including the S3 bucket name. We would like to block this from public access but I'm unsure how. Our bucket policy to allow CF access looks like this:

        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::SOME-S3-BUCKET-NAME-HERE",
                "arn:aws:s3:::SOME-S3-BUCKET-NAME-HERE/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
       // ....
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::SOME-S3-BUCKET-NAME-HERE/*"
        }

But we're still able to access the root path URL as well as the CRL path. Is it possible to block the root path from the public?

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
asked 2 years ago569 views
3 Answers
2
Accepted Answer

It's a best practice to point the root URL of the CloudFront distribution to a specific file in your origin (like the S3 bucket) to avoid just the exposure you're seeing. The procedure is explained in this documentation article: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • rePost-User-2581820
    2 years ago

    Thanks! This works. We opted to point the URL to a file that does not exist which gives us NoSuchKey for the root path.

0

you can try using Lambda @ Edge. You can effectively route requests to specific domain or URL. Below is the blog not related to problem you are trying to solve, but it gives you direction on how to accomplish rerouting.

https://aws.amazon.com/blogs/networking-and-content-delivery/dynamically-route-viewer-requests-to-any-origin-using-lambdaedge/

AWS
EXPERT
answered 2 years ago
0

I'm pleased you found a solution that works, but the behavior you were experiencing shouldn't be happening. To get the XML listing the contents of the bucket, the ListBucket permission must be granted somewhere. CloudFront should return a 403 when a viewer requests the root if there is no ListBucket permission. Is the policy snippet you included above the entire policy? Does the bucket also have any sort of public access enabled? Or are you also using a Bucket ACL?

Even though you have a working solution, it would be worth double-checking the S3 security configuration to make sure there isn't any unintended access.

AWS
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content