Amazon CloudFront is a content delivery network(CDN) operated by Amazon Web Services. Content delivery networks provide a globally-distributed network of proxy servers that cache content, such as web videos or other bulky media, more locally to consumers, thus improving access speed for downloading the content. Amazon S3 or Simple Storage Service is a service offered by Amazon Web Services that provides object storage through a web service interface. When you set up an Amazon S3 bucket as the origin of an Amazon CloudFront distribution, you give everyone permission to read the files in the bucket (public access). This allows anyone to access your files through CloudFront. Kindly refer to these related guides: How to add an EBS volume to AWS EC2 via the AWS Console and CLI, how to integrate AWS CodeBuild and AWS CodeCommit to SonarCloud, and how to deploy a React Application to AWS S3
In this blog post, you’ll learn about CloudFront origin access identities, which address the need to secure and restrict public access to S3 buckets behind a CloudFront distribution.
What is Amazon CloudFront origin access identity (OAI)?
Amazon CloudFront OAI is a simple function of CloudFront distribution that you can enable when you select S3 buckets as the origin. If you don’t use an OAI, the S3 bucket must allow public access.
OAI prevents users from viewing your S3 bucket contents through its URL, Your users can only use the URL of your CloudFront distribution. In this hands-on exercise, you will access private S3 bucket content via a CloudFront distribution.
Step 1. Create S3 Bucket
From the AWS Management Console page, select the S3 service. Use the Create bucket wizard to create a bucket with the following details:
- Once the bucket is created, you will be taken to the Buckets dashboard. Click on the bucket name to view the details, and upload files and folders.
Step 2. Upload Object to Bucket
Once the bucket is open to view its contents, click the Upload button to add files/folders. Click the Add Files button, and upload the Sample.html (or any file from your local computer) provided at the bottom of the current page.
Note that the Bucket has not allowed public access, therefore, the Sample.html file cannot be accessed via its object URL, such as xxxx://my-014421265158-bucket.s3.us-east-2.amazonaws.com/Sample.html.
The figure below shows
AccessDenied an error while trying to access the file via its S3 object URL
The figure below shows that the individual object (Sample.html) has no public access.
Step 3. Create CloudFront Distribution
Select the CloudFront service from the Services menu at the top left corner of your AWS console. Start the Create Distribution wizard.
Under the Web delivery method, click the Get Started button, and use the following details to create a distribution:
Leave the defaults for the rest of the options. It may take up to 10 minutes for the CloudFront Distribution to create. Upon successfully creating the CloudFront distribution, the S3 bucket access policy will also get updated automatically, as shown below.
Once your CloudFront distribution is created, and the status shows as Deployed, copy its Domain Name (such as,
dgf7z6g067r6d.cloudfront.net) and append
/Sample.html before pasting it into a new browser.
For the initial few attempts, your xxxx://dgf7z6g067r6d.cloudfront.net/Sample.html may redirect to xxxx://my-014421265158-bucket.s3.us-east-2.amazonaws.com/Sample.html, which is why you may still see an AccessDenied error.
Note: Remember, as soon as your CloudFront distribution is Deployed, it attaches to S3 and starts caching the S3 private pages. Once the caching is complete, the CloudFront domain name URL will stop redirecting to the S3 object URL. CloudFront may take 10-30 minutes (or more) to cache the S3 page, and you will be able to view the webpage. However, at the same time, the
xxxx://my-014421265158-bucket.s3.us-east-2.amazonaws.com/Sample.html will not work anymore.
I hope you found this blog post helpful. Please let me know in the comment session if you have any questions.