AWS/Azure/OpenShift Network Storage

Serve Private S3 Bucket Contents Via CloudFront


Amazon CloudFront is a content delivery network(CDN) operated by Amazon Web Services. Content delivery networks provide a globally-distributed network of proxy servers that cache content, such as web videos or other bulky media, more locally to consumers, thus improving access speed for downloading the content. In this article, you will learn how to Serve Private S3 Bucket Contents Via CloudFront. Amazon S3 or Simple Storage Service is a service offered by Amazon Web Services that provides object storage through a web service interface.  When you set up an Amazon S3 bucket as the origin of an Amazon CloudFront distribution, you give everyone permission to read the files in the bucket (public access). This allows anyone to access your files through CloudFront. Please see How to sync S3 Bucket with an EC2 instance, and how to delete AWS S3 Bucket and Objects via  AWS CLI from Linux.

Please follow along to learn about CloudFront origin access identities, which address the need to secure and restrict public access to S3 buckets behind a CloudFront distribution. Kindly refer to these related guides: How to add an EBS volume to AWS EC2 via the AWS Console and CLI, how to integrate AWS CodeBuild and AWS CodeCommit to SonarCloud, and how to deploy a React Application to AWS S3.

What is Amazon CloudFront origin access identity (OAI)?

Amazon CloudFront OAI is a simple function of CloudFront distribution that you can enable when you select S3 buckets as the origin. If you don’t use an OAI, the S3 bucket must allow public access.


OAI prevents users from viewing your S3 bucket contents through its URL, Your users can only use the URL of your CloudFront distribution. In this hands-on exercise, you will access private S3 bucket content via a CloudFront distribution.

How to Serve Private S3 Bucket Contents Via CloudFront

In order to achieve this goal, kindly follow the steps below and start off by creating an S3 bucket!

Please see how to redirect requests for your bucket’s website endpoint to another bucket or domain. How to sync S3 Bucket with an EC2 instance(Opens in a new browser tab), and how to grant public access to S3 Bucket using Policy. Also, see how to enable Amazon S3 default bucket encryption using S3 Console.

Step 1. Create S3 Bucket

From the AWS Management Console page, select the S3 service. Use the Create Bucket wizard to create a bucket with the following details:

Once the bucket is created, you will be taken to the Buckets dashboard. Click on the bucket name to view the details, and upload files and folders.

Click the “Add files” to upload a file

Step 2. Upload Object to Bucket

Once the bucket is open to view its contents, click the Upload button to add files/folders. Click the Add Files button, and upload the Sample.html. Or (or any file from your local computer) provided at the bottom of the current page.

Note that the Bucket has not allowed public access, therefore, the Sample.html file cannot be accessed via its object URL.
This figure above shows how to copy the S3 object URL.

The figure below shows AccessDenied an error while trying to access the file via its S3 object URL


The figure below shows that the individual object (Sample.html) has no public access.


Step 3. Create CloudFront Distribution

Select the CloudFront service from the Services menu at the top left corner of your AWS console. Start the Create Distribution wizard.

Under the Web delivery method, click the Get Started button, and use the following details to create a distribution:

In the configuration table above, the Grant Read Permission on Bucket says that “Yes, update access bucket policy automatically to allows the Origin Access Identity user access to the bucket content.” Origin Access Identity user represents the CloudFront service. The policy is a JSON file that defines the access permissions to the bucket object.

Serve Private S3 Bucket Contents Via CloudFront

Leave the defaults for the rest of the options. It may take up to 10 minutes for the CloudFront Distribution to create. Upon successfully creating the CloudFront distribution, the S3 bucket access policy will also get updated automatically, as shown below.

The figure above shows the updated S3 access policy. 

Once your CloudFront distribution is created, and the status shows as Deployed, copy its Domain Name and append /Sample.html before pasting it into a new browser.

For the initial few attempts, your xxxx:// may redirect to xxxx://, which is why you may still see an AccessDenied error. 

Note: Remember, as soon as your CloudFront distribution is Deployed. It attaches to S3 and starts caching the S3 private pages. Once the caching is complete, the CloudFront domain name URL will stop redirecting to the S3 object URL.

CloudFront may take 10-30 minutes (or more) to cache the S3 page, and you will be able to view the webpage.

I hope you found this blog post helpful on How to Serve Private S3 Bucket Contents Via CloudFront. Please let me know in the comment session if you have any questions.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x