Use a REST API endpoint as an S3 origin, and restrict access with an OAC

To modify an existing CloudFront distribution to use a REST API endpoint as an S3 origin and restrict access with an Origin Access Control (OAC), you'll need to update both the S3 bucket policy and the CloudFront distribution settings. Here are the steps to accomplish this using the AWS Management Console:

1. Update the S3 bucket policy:

   • Go to the S3 console and select your bucket
   • Navigate to the "Permissions" tab
   • Edit the bucket policy to allow access from CloudFront. Add a statement similar to this:

   {
       "Version": "2012-10-17",
       "Statement": {
           "Sid": "AllowCloudFrontServicePrincipalReadOnly",
           "Effect": "Allow",
           "Principal": {
               "Service": "cloudfront.amazonaws.com"
           },
           "Action": "s3:GetObject",
           "Resource": "arn:aws:s3:::your-bucket-name/*",
           "Condition": {
               "StringEquals": {
                   "AWS:SourceArn": "arn:aws:cloudfront::your-account-id:distribution/your-distribution-id"
               }
           }
       }
   }

   Replace "your-bucket-name", "your-account-id", and "your-distribution-id" with your actual values.

2. Create an Origin Access Control (OAC):

   • Go to the CloudFront console
   • In the left navigation pane, choose "Origin access"
   • Click "Create origin access control"
   • Give it a name and description
   • For "Sign requests", choose "Sign requests (recommended)"
   • Click "Create"

3. Update the CloudFront distribution:

   • In the CloudFront console, select your existing distribution
   • Go to the "Origins" tab
   • Select the S3 origin and click "Edit"
   • For "Origin domain", enter the REST API endpoint of your S3 bucket (e.g., your-bucket-name.s3.amazonaws.com)
   • For "S3 bucket access", select "Origin access control settings (recommended)"
   • Choose the OAC you created in step 2
   • Update any other settings as needed
   • Click "Save changes"

4. Review and deploy the changes:

   • After saving the changes, CloudFront will create a distribution configuration
   • Review the changes and click "Deploy changes"

These steps should update your existing CloudFront distribution to use the S3 REST API endpoint as the origin and restrict access using OAC. Remember to replace placeholder values with your actual bucket and distribution details. Also, ensure that the "Block all public access" setting is enabled on your S3 bucket for added security.

If you prefer using the AWS CLI, you can use the update-distribution command to modify the CloudFront distribution and the put-bucket-policy command to update the S3 bucket policy. However, the console method described above is often easier for making these specific changes.
Sources
Restrict access to an Amazon Simple Storage Service origin - Amazon CloudFront
Amazon S3 origins with CloudFront - Secure Content Delivery with Amazon CloudFront
Cloudfront OAC S3: Public Reads & Only Signed Secure Writes | AWS re:Post

The AI-generated help pointed me to https://repost.aws/questions/QUYjdDNyzFSBS1oxjG2hEuog/use-a-rest-api-endpoint-as-an-s3-origin-and-restrict-access-with-an-oac

Unfortunately, this help page has a similar problem as all the others. In this case, step 3 ("Update the CloudFront distribution") references the menu item "S3 bucket access" which is not visible. Therefore, I am unable to locate "Origin access control settings (recommended)" and cannot make that selection.

Hi mslinn,

I believe the generated answer is referring to this screen. Within the CloudFront distribution, you'll create a new OAC with the Origin type set to S3.