Can I make encrypted S3 static website only accessible through CloudFront?

Question

Can I store encrypted files on S3 and then make them available through CloudFront, with the decryption key held by CloudFront? Or is there any other way the build file of the static website is hosted but the files are not accessible by any other IAM.

Answer

It is possible to restrict access except via CloudFront.  
Follow the steps in the following document to set up OAC.  
OAC can be used with S3 default encryption or with encryption using KMS.  
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

The following document explains OAC in detail and should be read once.  
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/

Can I make encrypted S3 static website only accessible through CloudFront?

相关内容