AWS/Azure/OpenShift Network Storage

How to Serve Private S3 Bucket Contents Via CloudFront

CloudFrontAWS

Amazon CloudFront is a content delivery network(CDN) operated by Amazon Web Services. Content delivery networks provide a globally-distributed network of proxy servers that cache content, such as web videos or other bulky media, more locally to consumers, thus improving access speed for downloading the content. Amazon S3 or Amazon Simple Storage Service is a service offered by Amazon Web Services that provides object storage through a web service interface.  When you set up an Amazon S3 bucket as the origin of an Amazon CloudFront distribution, you give everyone permission to read the files in the bucket (public access). This allows anyone to access your files through CloudFront. Kindly refer to these related guides: How to add an EBS volume to AWS EC2 via the AWS Console and CLI, how to integrate AWS CodeBuild and AWS CodeCommit to SonarCloud, and how to deploy a React Application to AWS S3

In this blog post, you’ll learn about CloudFront origin access identities, which address the need to secure and restrict public access to S3 buckets behind a CloudFront distribution.

What is Amazon CloudFront origin access identity (OAI)?

Amazon CloudFront OAI is a simple function of CloudFront distribution that you can enable when you select S3 buckets as the origin. If you don’t use an OAI, the S3 bucket must allow public access.

image-52

OAI prevents users from viewing your S3 bucket contents through its URL, Your users can only use the URL of your CloudFront distribution. In this hands-on exercise, you will access private S3 bucket content via a CloudFront distribution.

Step 1. Create S3 Bucket

From the AWS Management Console page, select the S3 service. Use the Create bucket wizard to create a bucket with the following details:

  • Once the bucket is created, you will be taken to the Buckets dashboard. Click on the bucket name to view the details, and upload files and folders.
image-53
Click the “Add files” to upload a file

Step 2. Upload Object to Bucket

Once the bucket is open to view its contents, click the Upload button to add files/folders. Click the Add Files button, and upload the Sample.html (or any file from your local computer) provided at the bottom of the current page.

image-54
The figure above shows how to copy the S3 object URL.

The figure below shows AccessDenied error while trying to access the file via its S3 object URL

image-55

The figure below shows that the individual object (Sample.html) has no public access.

image-56

Step 3. Create CloudFront Distribution

Select the CloudFront service from the Services menu at the top left corner of your AWS console. Start the Create Distribution wizard.

  • Under the Web delivery method, click the Get Started button, and use the following details to create a distribution:
cloudfrontValues
In the configuration table above, the Grant Read Permission on Bucket says that “Yes, update access bucket policy automatically to allows the Origin Access Identity user access to the bucket content.” Origin Access Identity user represents the CloudFront service. The policy is a JSON file that defines the access permissions to the bucket object.

Leave the defaults for the rest of the options. It may take up to 10 minutes for the CloudFront Distribution to create. Upon successfully creating the CloudFront distribution, the S3 bucket access policy will also get updated automatically, as shown below.

image-57
The figure above shows the updated S3 access policy. 

Note – Remember, as soon as your CloudFront distribution is Deployed, it attaches to S3 and starts caching the S3 private pages. Once the caching is complete, the CloudFront domain name URL will stop redirecting to the S3 object URL. CloudFront may take 10-30 minutes (or more) to cache the S3 page, and you will be able to view the webpage. However, at the same time, the https://my-014421265158-bucket.s3.us-east-2.amazonaws.com/Sample.html will not work anymore.

Here is an example of static S3 content I deployed through CloudFront. https://djcn0xmki4gps.cloudfront.net/.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x