S3 origin with CloudFront - Secure Content Delivery with Amazon CloudFront

S3 origin with CloudFront

S3 provides access control in conjunction with AWS Identity and Access Management (AWS IAM), bucket policy, bucket ACL, and object ACL. When using S3 origin with CloudFront, you can use CloudFront Origin Access Identity (OAI) to secure S3 bucket access. OAI creates a principal that S3 can authenticate with, and it is used in a CloudFront distribution. By allowing this OAI principal an s3:GetObject action in bucket policy, S3 allows CloudFront distribution to access to the content.

{ "Sid": "StmtCFOAI", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI ID>" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<s3 bucket name>/*" },

With this bucket policy set, you can turn on “Block all public access” to make the S3 bucket reachable only through CloudFront.