By using AWS re:Post, you agree to the Terms of Use
/OAI or not OAI for serving a static website in S3 using CloudFront/

OAI or not OAI for serving a static website in S3 using CloudFront


I am very confused about leveraging OAI for my static website.

A little background. I have a website that I serve from an S3 bucket and use CloudFront to access it. This website bucket and its CloudFront counterpart are built using a CloudFormation template that I have used for years now (i.e., its a little dated). The template follows a traditional plan of configuring the website bucket, then then configure the CloudFront to point to it (using SSL/TLS, etc. for https). This all works fine. However, I have recently been looking at ways to enhance security, and came across OAI as a way to stop having to make the S3 bucket public.

According to the AWS documentation entitled "Restricting access to Amazon S3 content by using an origin access identity (OAI)", I should not use OAI for my static website in S3. But, according to "Use an Amazon CloudFront distribution to serve a static website", I should set it up.

Am I missing something in translation? I would very much like to restrict access to my website served from S3 to my CloudFront distribution. Which is the proper way to do this?

2 Answers

Yes best practice is to use OAI with CloudFront with origin 'S3 Static Bucket website'. If you are using CloudFront/Distribution API you must disable s3 bucket/Properties/Static Website Hosting. And configure CloudFront/Default Root object e.g. index.html to make it work.

You can also use CloudFront/CloudFrontWebDistribution API which allows you to use OAI for CloudFront which accesses an S3 bucket website with static website hosting enabled. An old API for CloudFront Distribution.

With Distribution API if you configure OAI and also have your s3 bucket enabled with 'Static Website Hosting', it will not work (meaning CloudFront will not be able to access origin).

Distribution is new & has easy Interface as compare to CloudFrontWebDistribution. Also Distribution receives new features faster. That's why it is recommended to use Distribution class.

Hope this helps.

answered 2 months ago
  • So, are you saying 'static website hosting' is no longer necessary?


The short answer is, if you want to use OAI, you can't have "static hosting" enabled on your bucket.

That second link you posted is confusing, but pay attention to the differences in the two setups. One bucket has static hosting enabled but not OAI in Cloudfront. The other one has OAI enabled in Cloudfront but it's just re-directing to the other bucket (no static hosting enabled).

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions