Restrict access to an AWS Elemental MediaStore origin
CloudFront provides origin access control (OAC) for restricting access to an AWS Elemental MediaStore origin.
Create a new origin access control
Complete the steps described in the following topics to set up a new origin access control in CloudFront.
Topics
Prerequisites
Before you create and set up origin access control, you must have a CloudFront distribution with a MediaStore origin.
Giving the origin access control permission to access the MediaStore origin
Before you create an origin access control or set it up in a CloudFront distribution, make sure the OAC has permission to access the MediaStore origin. Do this after creating a CloudFront distribution, but before adding the OAC to the MediaStore origin in the distribution configuration.
To give the OAC permission to access the MediaStore origin, use a MediaStore container
policy to allow the CloudFront service principal
(cloudfront.amazonaws.com
) to access the origin. Use a
Condition
element in the policy to allow CloudFront to access the
MediaStore container only when the request is on behalf of the CloudFront distribution that
contains the MediaStore origin.
The following are examples of MediaStore container policies that allow a CloudFront OAC to access a MediaStore origin.
Example MediaStore container policy that allows read-only access to a CloudFront OAC
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipalReadOnly", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": [ "mediastore:GetObject" ], "Resource": "arn:aws:mediastore:
<region>
:111122223333
:container/<container name>
/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::111122223333
:distribution/<CloudFront distribution ID>
" }, "Bool": { "aws:SecureTransport": "true" } } } ] }
Example MediaStore container policy that allows read and write access to a CloudFront OAC
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipalReadWrite", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": [ "mediastore:GetObject", "mediastore:PutObject" ], "Resource": "arn:aws:mediastore:
<region>
:111122223333
:container/<container name>
/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::111122223333
:distribution/<CloudFront distribution ID>
" }, "Bool": { "aws:SecureTransport": "true" } } } ] }
Note
To allow write access, you must configure Allowed HTTP
methods to include PUT
in your CloudFront
distribution's behavior settings.
Create the origin access control
To create an OAC, you can use the AWS Management Console, AWS CloudFormation, the AWS CLI, or the CloudFront API.
Advanced settings for origin access control
The CloudFront origin access control feature includes advanced settings that are intended only for specific use cases. Use the recommended settings unless you have a specific need for the advanced settings.
Origin access control contains a setting named Signing behavior (in
the console), or SigningBehavior
(in the API, CLI, and AWS CloudFormation). This setting
provides the following options:
- Always sign origin requests (recommended setting)
-
We recommend using this setting, named Sign requests (recommended) in the console, or
always
in the API, CLI, and AWS CloudFormation. With this setting, CloudFront always signs all requests that it sends to the MediaStore origin. - Never sign origin requests
-
This setting is named Do not sign requests in the console, or
never
in the API, CLI, and AWS CloudFormation. Use this setting to turn off origin access control for all origins in all distributions that use this origin access control. This can save time and effort compared to removing an origin access control from all origins and distributions that use it, one by one. With this setting, CloudFront does not sign any requests that it sends to the MediaStore origin.Warning
To use this setting, the MediaStore origin must be publicly accessible. If you use this setting with a MediaStore origin that's not publicly accessible, CloudFront cannot access the origin. The MediaStore origin returns errors to CloudFront and CloudFront passes those errors on to viewers. For more information, see the example MediaStore container policy for Public read access over HTTPS.
- Don't override the viewer (client)
Authorization
header -
This setting is named Do not override authorization header in the console, or
no-override
in the API, CLI, and AWS CloudFormation. Use this setting when you want CloudFront to sign origin requests only when the corresponding viewer request does not include anAuthorization
header. With this setting, CloudFront passes on theAuthorization
header from the viewer request when one is present, but signs the origin request (adding its ownAuthorization
header) when the viewer request doesn't include anAuthorization
header.Warning
To pass along the
Authorization
header from the viewer request, you must add theAuthorization
header to a cache policy for all cache behaviors that use MediaStore origins associated with this origin access control.