By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restrict Cloudfront Distribution domain name

0

Hello, i need to Restrict Cloudfront Distribution domain name for public access and leave only the Alternate Domain Names. How can i do that?

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
bgbs
asked a year ago2465 views
1 Answer
1

If you want to prevent access to your content using the CloudFront domain name and only allow access using the Alternate Domain Names (CNAMEs), you can set up your distribution to use an "Origin Access Identity". This is a special CloudFront user that you can associate with your distribution and then give it permissions on your S3 bucket, effectively restricting direct S3 access. You must also set up a bucket policy that only allows this Origin Access Identity.

However, note that this will prevent direct S3 access, not specifically CloudFront domain access. CloudFront does not provide built-in functionality to restrict access based on the domain used to access the distribution.

Here's the general process:

  1. In the AWS Management Console, go to the CloudFront page and open your distribution.
  2. In the Origins and Origin Groups tab, choose the origin for which you want to restrict access.
  3. For Restrict Bucket Access, choose Yes. This tells CloudFront to use an origin access identity (OAI) to access your bucket.
  4. For Origin Access Identity, choose either Create a New Identity (and provide the comment) or Use an Existing Identity.
  5. For Grant Read Permissions on Bucket, choose Yes, Update Bucket Policy. This allows CloudFront to update your bucket policy for you with the correct permissions.

If you want to restrict access to the CloudFront URL and only allow access through your specific domain, you might need to take a different approach. It would be more related to DNS and Web Application Firewall (WAF) configuration, and AWS does not provide an out-of-the-box solution. Here are some suggestions:

  1. Route53 and WAF: Create a Route53 record that points your domain to the CloudFront distribution. Then, use AWS WAF with your CloudFront distribution to filter incoming requests based on the HTTP referer header. However, this solution is not bulletproof, as the referer header can be forged.

  2. Lambda@Edge: You can use Lambda@Edge to write a function that is executed at the CloudFront edge locations. This function can inspect the headers of incoming requests and reject those that do not match your domain.

Please note that these methods are not bulletproof, and they merely add a level of obscurity rather than real security. If your goal is to secure your content, you should consider using signed URLs or signed cookies that provide a more secure access control to your CloudFront content.

profile picture
EXPERT
Ivan Casco
answered a year ago
  • bgbs
    a year ago

    Hello, thank you. It is my mistake i did not say that I use custom Origin - EC2 Public DNS. There is Apache on the EC2. At first i tried with the IP of VPS where the runner is and when it did not work i got confused. May be it will be best if i add a runner on the EC2?

  • pmartini
    4 months ago

    Hello Ivan, I would like to do exactly what you indicate, i.e. restrict access to the CloudFront URL and only allow access through my specific domain. Could you kindly point me to an example how to do that with Lambda@Edge? Thank you!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content