Securing Your Content in Amazon S3

A CloudFront origin access identity is a virtual identity that allows CloudFront to fetch content from an Amazon S3 bucket. You create a CloudFront origin access identity for your AWS account, attach the identity to your distribution, and then give that identity read permission (or read and download permission) to objects in Amazon S3. After you remove public access to the Amazon S3 bucket, the CloudFront distribution is now the only way to access objects in your bucket. Adding signer accounts to the distribution configuration allows access only to users who have signed URLs.

You can have up to 100 CloudFront origin access identities, and you can attach each to one or more distributions. One origin access identity is usually sufficient, even for multiple distributions.

The following example depicts three different distributions.

	Distribution 1 is configured for public content. The object has an Amazon S3 ACL that grants everyone read permission. Anyone can access the contents of this distribution through Amazon S3 or through your CloudFront distribution.
	Distribution 2 is configured to read private content with signed URLs. This distribution is attached to CloudFront origin access identity A. The object has an Amazon S3 ACL that grants read permission to the identity. The content in this distribution cannot be accessed by anyone who doesn't have the signed URL.
	Distribution 3 is configured to read private content with basic URLs. This distribution is also attached to CloudFront origin access identity A. The object has an Amazon S3 ACL that grants read permission to the identity. The content in this distribution is not private, but users can access it only through your CloudFront distribution (not through your Amazon S3 bucket).

For information about creating an origin access identity, see Creating a CloudFront Origin Access Identity.

You can create a CloudFront origin access identity using a POST on the 2010-11-01/origin-access-identity/cloudfront resource. You must provide a unique caller reference in the request, as you do when creating a distribution. You can optionally provide comments about the identity.

	Note
	Currently, the AWS Management Console doesn't support creating an origin access identity or updating a distribution to serve private content.

	Note
	The CloudFront control API provides a set of actions for creating and managing your CloudFront origin access identities. The actions are parallel to those for creating and managing distributions. For more information about the actions, go to Actions on Origin Access Identities in the Amazon CloudFront API Reference.

Now that you have an origin access identity, you can create a distribution configured for private content. For more information, see Creating a Private Content Distribution.

A distribution can serve either public or private content as specified by configuration values. To configure a distribution to serve private content, you use your AWS account, or a trusted AWS account you specify, to get a key pair. (If you already have an RSA key pair, you can upload the public key to AWS.) You then use the private key from the key pair to hash a policy statement; the result is a signature that you use to authenticate that the policy was generated by a trusted signer and has not been tampered with.

A private content distribution looks like a public content distribution, except that it has an OriginAccessIdentity element in the configuration. You must specify the value for the element using the following format: origin-access-identity/cloudfront/ID.

The following example request creates a new private content distribution.

POST /2010-11-01/distribution HTTP/1.1
[Required headers]

<?xml version="1.0" encoding="UTF-8"?>
<DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2010-11-01/">
  <S3Origin>
     <DNSName>myawsbucket.s3.amazonaws.com</DNSName>
     <OriginAccessIdentity>
     origin-access-identity/cloudfront/E127G7VEXAMPLE
     </OriginAccessIdentity>
  </S3Origin>
  <CallerReference>20120229090000</CallerReference>
  <Comment>My comments</Comment>
  <Enabled>true</Enabled>
</DistributionConfig>

For information about updating an existing distribution, see Updating a Distribution's Configuration.

The following request for a streaming distribution is similar to a distribution for static content.

POST /2010-11-01/streaming-distribution HTTP/1.1
[Required headers]

<?xml version="1.0" encoding="UTF-8"?>
<StreamingDistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2010-11-01/">
  <S3Origin>
     <DNSName>myawsbucket.s3.amazonaws.com</DNSName>
     <OriginAccessIdentity>
     origin-access-identity/cloudfront/E127G7VEXAMPLE
     </OriginAccessIdentity>
  </S3Origin>
  <CallerReference>20120229090000</CallerReference>
  <Comment>My comments</Comment>
  <Enabled>true</Enabled>
</StreamingDistributionConfig>

For information about updating an existing streaming distribution, see Updating a Distribution's Configuration.

Now that you have created a distribution configured for private content, you need to set the ACLs on your Amazon S3 private content objects. For more information, see Updating Amazon S3 Bucket Policies or ACLs on Your Private Content Buckets or Objects.

After you create a private content distribution, you must update Amazon S3 bucket policies or ACLs to grant the CloudFront origin access identity the permissions necessary to access to the private content in Amazon S3. Note the following: