Amazon CloudFront
Developer Guide (API Version 2014-05-31)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content

Typically, if you're using an Amazon S3 bucket as the origin for a CloudFront distribution, you grant everyone permission to read the objects in your bucket. This allows anyone to access your objects using either the CloudFront URL or the Amazon S3 URL. CloudFront doesn't expose Amazon S3 URLs, but your users may have those URLs if your application serves any objects directly from Amazon S3 or if anyone gives out direct links to specific objects in Amazon S3.

If you want to use CloudFront signed URLs to provide access to objects in your Amazon S3 bucket, you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs, including control over when a URL expires and control over which IP addresses can be used to access the objects. In addition, if users access objects using both CloudFront URLs and Amazon S3 URLs, CloudFront access logs are less useful because they're incomplete.

You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. When your users access your Amazon S3 objects using CloudFront URLs, the CloudFront origin access identity gets the objects on your users' behalf. If your users try to access objects using Amazon S3 URLs, they're denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don't.

Note

To create origin access identities, you must use the CloudFront console or CloudFront API version 2009-09-09 or later.

To ensure that your users access your objects using only CloudFront URLs, regardless of whether the URLs are signed, perform the following tasks:

  1. Create an origin access identity and add it to your distribution. For more information, see Creating a CloudFront Origin Access Identity and Adding it to Your Distribution.

    Note

    You can also create an origin access identity and add it to your distribution when you create the distribution.

  2. Change the permissions either on your Amazon S3 bucket or on the objects in your bucket so only the origin access identity has read permission (or read and download permission).

    For more information, see Granting the Origin Access Identity Permission to Read Objects in Your Amazon S3 Bucket.

Creating a CloudFront Origin Access Identity and Adding it to Your Distribution

An AWS account can have up to 100 CloudFront origin access identities. However, you can add an origin access identity to as many distributions as you want, so one origin access identity is usually sufficient.

If you didn't create an origin access identity and add it to your distribution when you created the distribution, you can create and add one now using either the CloudFront console or the CloudFront API:

Creating an Origin Access Identity and Adding it to Your Distribution Using the CloudFront Console

If you didn't create an origin access identity when you created your distribution, perform the following procedure.

To create a CloudFront origin access identity using the CloudFront console

  1. Sign in to the AWS Management Console and open the Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/.

  2. Click the i icon for the distribution to which you want to add an origin access identity.

  3. Change to edit mode:

    • Web distributions: Click the Origins tab, click the origin that you want to edit, and click Edit. You can only create an origin access identity for origins for which Origin Type is S3 Origin.

    • RTMP distributions: Click Edit.

  4. For Restrict Bucket Access, click Yes.

  5. If you already have an origin access identity that you want to use, click Use an Existing Identity. Then select the identity in the Your Identities list.

    Note

    If you already have an origin access identity, we recommend that you reuse it to simplify maintenance.

    If you want to create an identity, click Create a New Identity. Then enter a description for the identity in the Comment field.

  6. If you want CloudFront to automatically give the origin access identity permission to read the objects in the Amazon S3 bucket specified in Origin Domain Name, click Yes, Update Bucket Policy.

    Important

    If you click Yes, Update Bucket Policy, CloudFront updates bucket permissions to grant the specified origin access identity the permission to read objects in your bucket. However, CloudFront does not remove existing permissions. If users currently have permission to access the objects in your bucket using Amazon S3 URLs, they will still have that permission after CloudFront updates your bucket permissions. To view or remove existing bucket permissions, use a method provided by Amazon S3. For more information, see Granting the Origin Access Identity Permission to Read Objects in Your Amazon S3 Bucket.

    If you want to manually update permissions on your Amazon S3 bucket, click No, I Will Update Permissions.

  7. Click Yes, Edit.

  8. If you're adding an origin access identity to a web distribution and you have more than one origin, repeat Step 3 through Step 7 as applicable.

Creating an Origin Access Identity Using the CloudFront API

If you already have an origin access identity and you want to reuse it instead of creating another one, skip to Adding an Origin Access Identity to Your Distribution Using the CloudFront API.

To create a CloudFront origin access identity using the CloudFront API, use the POST Origin Access Identity API action. The response includes an Id and an S3CanonicalUserId for the new origin access identity. Make note of these values because you will use them later in the process:

  • Id element: You use the value of the Id element to associate an origin access ID with your distribution.

  • S3CanonicalUserId element: You use the value of the S3CanonicalUserId element when you give CloudFront access to your Amazon S3 bucket or objects.

For more information about the POST Origin Access Identity API action, go to POST Origin Access Identity in the Amazon CloudFront API Reference. For a list of other actions that you can perform on origin access identities, go to Actions on Origin Access Identities, also in the Amazon CloudFront API Reference.

Adding an Origin Access Identity to Your Distribution Using the CloudFront API

You can use the CloudFront API to add a CloudFront origin access identity to an existing distribution or to create a new distribution that includes an origin access identity. In either case, include an OriginAccessIdentity element. This element contains the value of the Id element that the POST Origin Access Identity API action returned when you created the origin access identity. For web distributions, add the OriginAccessIdentity element to one or more origins. For RTMP distributions, add the OriginAccessIdentity element to the distribution.

See the applicable topic in the Amazon CloudFront API Reference:

Granting the Origin Access Identity Permission to Read Objects in Your Amazon S3 Bucket

When you create or update a distribution, you can add an origin access identity and automatically update the bucket policy to give the origin access identity permission to access your bucket. Alternatively, you can choose to manually change the bucket policy or change ACLs, which control permissions on individual objects in your bucket.

Whichever method you use, you should still review the bucket policy for your bucket and review the permissions on your objects to ensure that:

  • CloudFront can access objects in the bucket on behalf of users who are requesting your objects using CloudFront URLs.

  • Users can't use Amazon S3 URLs to access your objects.

Caution

If you configure CloudFront to accept and forward to Amazon S3 all of the HTTP methods that CloudFront supports, create a CloudFront origin access identity to restrict access to your Amazon S3 content, and grant the origin access identity the applicable permissions. For example, if you configure CloudFront to accept and forward these methods because you want to use the PUT method, you must configure Amazon S3 bucket policies or ACLs to handle DELETE requests appropriately so users can't delete resources that you don't want them to.

Note the following:

  • You may find it easier to update Amazon S3 bucket policies than ACLs because you can add objects to the bucket without updating permissions. However, ACLs give you more fine-grained control because you're granting permissions on each object.

  • By default, your Amazon S3 bucket and all of the objects in it are private—only the AWS account that created the bucket has permission to read or write the objects in it.

  • If you're adding an origin access identity to an existing distribution, modify the bucket policy or any object ACLs as appropriate to ensure that the objects are not publicly available.

  • Grant additional permissions to one or more secure administrator accounts so you can continue to update the contents of the Amazon S3 bucket.

Important

There may be a brief delay between when you save your changes to Amazon S3 permissions and when the changes take effect. Until the changes take effect, you may get permission-denied errors when you try to access objects in your bucket.

Updating Amazon S3 Bucket Policies

You can update the Amazon S3 bucket policy using either the AWS Management Console or the Amazon S3 API:

  • Grant the CloudFront origin access identity the applicable permissions on the bucket.

    To specify an origin access identity, use the value of Amazon S3 Canonical User ID on the Origin Access Identity page in the CloudFront console. If you're using the CloudFront API, use the value of the S3CanonicalUserId element that was returned when you created the origin access identity.

  • Deny access to anyone that you don't want to have access using Amazon S3 URLs.

For more information, go to Using Bucket Policies in the Amazon Simple Storage Service Developer Guide.

For an example, see "Granting Permission, Using Canonical ID, to a CloudFront Origin Identify" in the topic Example Cases for Amazon S3 Bucket Policies, also in the Amazon Simple Storage Service Developer Guide.

Updating Amazon S3 ACLs

Using either the AWS Management Console or the Amazon S3 API, change the Amazon S3 ACL:

  • Grant the CloudFront origin access identity the applicable permissions on each object that the CloudFront distribution serves.

    To specify an origin access identity, use the value of Amazon S3 Canonical User ID on the Origin Access Identity page in the CloudFront console. If you're using the CloudFront API, use the value of the S3CanonicalUserId element that was returned when you created the origin access identity.

  • Deny access to anyone that you don't want to have access using Amazon S3 URLs.

If another AWS account uploads objects to your bucket, that account is the owner of the objects. By default, the account that owns objects in a bucket is the only account that can grant permissions to those objects. However, the AWS account that owns the objects can make you an owner, too, which allows you to change permissions on the objects.

For more information, go to Using ACLs in the Amazon Simple Storage Service Developer Guide.

You can also change the ACLs using code and one of the AWS SDKs. For an example, see the downloadable sample code in Create a URL Signature Using C# and the .NET Framework.