Correct process for configuring S3 bucket so ONLY Cloudfront can access?

0

Hi...

I've recently received a standard email security warning "We’re writing to notify you that your AWS account .... has one or more S3 buckets that allow read or write access from any user on the Internet. By default, S3 buckets allow only the account owner to access the contents of a bucket; however, customers can configure S3 buckets to permit public access".

I have only one S3 bucket and it's used only as the origin for Cloudfront. It does not need to permit direct access for anyone, even me. Currently , the items in the bucket permit public read access to anyone, including Cloudfront, so that Cloudfront can access them. Is that or is it not correct? This must be a fairly standard configuration but I can't find it documented anywhere. If it's not correct to give Public access in this case, what is the recommended way to secure access to an S3 bucket so that only Cloudfront and no-one else can access it, please?

There is no easy and obvious way of doing this in S3 --> Buckets --> Permissions --> Access Control Lists unless it is possible to specify Cloudfront under "Access for other AWS accounts"?

Thanks for any help.

Chris J
已提問 5 年前檢視次數 485 次
2 個答案
0

This should help:
To allow access to your Amazon S3 bucket only from a CloudFront distribution, first add an origin access identity (OAI)[1] to your distribution. Then, review your bucket policy and Amazon S3 access control list (ACL)[2] to be sure that:
• Only the OAI can access your bucket.
• CloudFront can access the bucket on behalf of requesters.
• Users can't access the objects in other ways, such as by using Amazon S3 URLs.
Note: After you restrict access to your bucket using CloudFront, you can optionally add another layer of security by integrating AWS WAF[3].

[1] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-creating-oai
[2] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-granting-permissions-to-oai
[3] https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html

AWS
awsrwx
已回答 5 年前
0

Thanks!

Chris J
已回答 5 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南