OAI or not OAI for serving a static website in S3 using CloudFront
I am very confused about leveraging OAI for my static website.
A little background. I have a website that I serve from an S3 bucket and use CloudFront to access it. This website bucket and its CloudFront counterpart are built using a CloudFormation template that I have used for years now (i.e., its a little dated). The template follows a traditional plan of configuring the website bucket, then then configure the CloudFront to point to it (using SSL/TLS, etc. for https). This all works fine. However, I have recently been looking at ways to enhance security, and came across OAI as a way to stop having to make the S3 bucket public.
According to the AWS documentation entitled "Restricting access to Amazon S3 content by using an origin access identity (OAI)", I should not use OAI for my static website in S3. But, according to "Use an Amazon CloudFront distribution to serve a static website", I should set it up.
Am I missing something in translation? I would very much like to restrict access to my website served from S3 to my CloudFront distribution. Which is the proper way to do this?
Yes best practice is to use OAI with CloudFront with origin 'S3 Static Bucket website'. If you are using CloudFront/Distribution API you must disable s3 bucket/Properties/Static Website Hosting. And configure CloudFront/Default Root object e.g. index.html to make it work.
You can also use CloudFront/CloudFrontWebDistribution API which allows you to use OAI for CloudFront which accesses an S3 bucket website with static website hosting enabled. An old API for CloudFront Distribution.
With Distribution API if you configure OAI and also have your s3 bucket enabled with 'Static Website Hosting', it will not work (meaning CloudFront will not be able to access origin).
Distribution is new & has easy Interface as compare to CloudFrontWebDistribution. Also Distribution receives new features faster. That's why it is recommended to use Distribution class.
Hope this helps.
The short answer is, if you want to use OAI, you can't have "static hosting" enabled on your bucket.
That second link you posted is confusing, but pay attention to the differences in the two setups. One bucket has static hosting enabled but not OAI in Cloudfront. The other one has OAI enabled in Cloudfront but it's just re-directing to the other bucket (no static hosting enabled).
Relevant questions
Static website in S3 not working with HTTPS
asked 2 years ago404 - Not Found error on static website
asked 2 years agoOAI or not OAI for serving a static website in S3 using CloudFront
asked 2 months agoCloudfront with a Lambda@Edge pointing to a private S3
asked 2 years agoIs it correct that the original domain doesn't use OAI on the cloud front?
asked 4 days agoStatic Website S3 not resolving - DNS Provider is not AWS
asked 10 months agoAdding OAI to CloudFront after the distribution is created
asked 5 months agoIs it possible to map an S3 static website to a public static IP address?
Accepted Answerasked 2 years agoS3 Static Website Objects 403 Forbidden when Uploaded from Different Account
asked a month agoS3 Static Website RoutingRules when using Cloudfront and a domain name
asked 3 years ago
So, are you saying 'static website hosting' is no longer necessary?