Correct process for configuring S3 bucket so ONLY Cloudfront can access?

0

Hi...

I've recently received a standard email security warning "We’re writing to notify you that your AWS account .... has one or more S3 buckets that allow read or write access from any user on the Internet. By default, S3 buckets allow only the account owner to access the contents of a bucket; however, customers can configure S3 buckets to permit public access".

I have only one S3 bucket and it's used only as the origin for Cloudfront. It does not need to permit direct access for anyone, even me. Currently , the items in the bucket permit public read access to anyone, including Cloudfront, so that Cloudfront can access them. Is that or is it not correct? This must be a fairly standard configuration but I can't find it documented anywhere. If it's not correct to give Public access in this case, what is the recommended way to secure access to an S3 bucket so that only Cloudfront and no-one else can access it, please?

There is no easy and obvious way of doing this in S3 --> Buckets --> Permissions --> Access Control Lists unless it is possible to specify Cloudfront under "Access for other AWS accounts"?

Thanks for any help.

Chris J
asked 3 years ago73 views
2 Answers
0

This should help:
To allow access to your Amazon S3 bucket only from a CloudFront distribution, first add an origin access identity (OAI)[1] to your distribution. Then, review your bucket policy and Amazon S3 access control list (ACL)[2] to be sure that:
• Only the OAI can access your bucket.
• CloudFront can access the bucket on behalf of requesters.
• Users can't access the objects in other ways, such as by using Amazon S3 URLs.
Note: After you restrict access to your bucket using CloudFront, you can optionally add another layer of security by integrating AWS WAF[3].

[1] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-creating-oai
[2] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-granting-permissions-to-oai
[3] https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html

awsrwx
answered 3 years ago
0

Thanks!

Chris J
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions