Amazon S3 origins with CloudFront

Amazon Simple Storage Service (Amazon S3) provides access controls in conjunction with AWS Identity and Access Management (IAM), bucket policy, bucket ACL, and object ACL.

When using Amazon S3 origins with CloudFront, you can use CloudFront Origin Access Control (OAC) to secure Amazon S3 bucket access. When setting up OAC, CloudFront will provide an IAM policy that can be used in your Amazon S3 bucket policy. The bucket policy creates a service principal that allows your CloudFront distribution to authenticate with Amazon S3. By allowing the CloudFront service principal, an s3:GetObject action in the bucket policy, Amazon S3 allows CloudFront distribution to access to the content.

In the following example, replace <S3 bucket name>, <AWS account ID>, and <CloudFront distribution ID> with your own information.


{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::<S3 bucket name>/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
            }
        }
    }
}

With this bucket policy set, you can turn on “Block all public access” to make the S3 bucket reachable only through CloudFront.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Protecting your origin by allowing access to CloudFront only

Custom origin with CloudFront