OAI or not OAI for serving a static website in S3 using CloudFront

Question

I am very confused about leveraging OAI for my static website.

A little background. I have a website that I serve from an S3 bucket and use CloudFront to access it. This website bucket and its CloudFront counterpart are built using a CloudFormation template that I have used for years now (i.e., its a little dated). The template follows a traditional plan of configuring the website bucket, then then configure the CloudFront to point to it (using SSL/TLS, etc. for https). This all works fine. However, I have recently been looking at ways to enhance security, and came across OAI as a way to stop having to make the S3 bucket public.

According to the AWS documentation entitled "[Restricting access to Amazon S3 content by using an origin access identity (OAI)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html)", I should not use OAI for my static website in S3. But, according to "[Use an Amazon CloudFront distribution to serve a static website](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/getting-started-cloudfront-overview.html)", I should set it up.

Am I missing something in translation? I would very much like to restrict access to my website served from S3 to my CloudFront distribution. Which is the proper way to do this?

BazzieB_AWS · Answer

Hi bbaronas

It is advised to use OAI to secure your bucket content behind CloudFront, however, there is some confusion that arises, when going from an S3 static website to CloudFront with OAI.

Firstly, there are 2 different types of S3 endpoints.

1. Static website endpoints - *bucketname*.s3-website-*region*.amazonaws.com
2. S3 bucket endpoints - *bucketname*.s3-*region*.amazonaws.com

When using a Static Website endpoint with CloudFront, you still need to have the open bucket policy, as CloudFront needs access to your objects. When configuring CloudFront origin, and you use the S3 static website URL in the Origin, it will show as a Custom Origin.

When using the S3 bucket endpoint, this will be an S3 Origin type. This is the recommended way, and then use OAI and allow CloudFront to update your bucket policy. Please note that CloudFront will not delete your existing policy, simply add access for the OAI. I would recommend to remove your current bucket policy before you configure CloudFront OAI.

You can also use this template to setup CloudFront+S3+SSL. 
https://gist.github.com/jonoirwinrsa/ceb2cba3d104720320f30e06b8c821f8

mishdane · Answer

Yes best practice is to use OAI with CloudFront with origin 'S3 Static Bucket website'. 
If you are using CloudFront/Distribution API you must disable s3 bucket/Properties/Static Website Hosting. And configure CloudFront/Default Root object e.g. index.html to make it work.

You can also use CloudFront/CloudFrontWebDistribution API which allows you to use OAI for CloudFront which accesses an S3 bucket website with static website hosting enabled. An old API for CloudFront Distribution.

With Distribution API if you configure OAI and also have your s3 bucket enabled with 'Static Website Hosting', it will not work (meaning CloudFront will not be able to access origin).

Distribution is new & has easy Interface as compare to CloudFrontWebDistribution. Also Distribution receives new features faster. That's why it is recommended to use Distribution class.

Hope this helps.

John Vold · Answer

The short answer is, if you want to use OAI, you can't have "static hosting" enabled on your bucket.

That second link you posted is confusing, but pay attention to the differences in the two setups. One bucket has static hosting enabled but not OAI in Cloudfront. The other one has OAI enabled in Cloudfront but it's just re-directing to the other bucket (no static hosting enabled).

OAI or not OAI for serving a static website in S3 using CloudFront

Relevant content