Case study

CategoryArticles

Amazon Cloudfront Origin Access Control (OAC): All you Need to Know

In this article, you will learn:

Amazon CloudFront is a global content delivery network (CDN) from Amazon Web Services (AWS) that securely delivers applications, websites, videos, and APIs to viewers across the globe in milliseconds.

One of the most used AWS architectures is Amazon S3 which is used as the origin to host content (images, videos, other objects), and CloudFront, which is used to deliver them to viewers. When using this architecture, customers can leverage CloudFront’s origin access identity (OAI) to secure S3 bucket access to CloudFront only.

AWS introduced a new function that replaces OAI, and it has a very similar name: CloudFront origin access control (OAC) and it brings some new features, so let’s look at what CloudFront OAC is, how it works, new features, how to migrate from OAI and how to set it up in AWS Management Console.

You can also watch our video about CloudFront OAC:

What is origin access control (OAC)

OAC is a simple function that can be found in CloudFront distribution settings.

CloudFront OAC set 1

With OAC you can:

  • Restricts access to the Amazon S3 bucket so that it's not publicly accessible.
  • Make sure that users can access the content in the S3 bucket only through the specified CloudFront distribution.
  • Reduce the overall costs of Data transfer out, because serving data directly from S3 costs more than serving them through CloudFront distribution.

OAC prevents users from viewing your S3 files by simply using the direct URL, for example:

  • app-private-bucket-stormit.s3.eu-central-1.amazonaws.com/pics/logo.png

Your users can only use the URL of your CloudFront distribution (or your domain name if you set it). For example:

  • d2whx7jax6hbi5.cloudfront.net/pics/logo.png

CloudFront OAC

Save up to 60% on your CloudFront costs with StormIT optimized pricing.

Estimate savings

New features of OAC

OAC is based on the AWS best practice of using IAM service principals to authenticate with S3 origins. Compared with OAI, some of the notable enhancements OAC include:

  • OAC is implemented with enhanced security practices like short-term credentials, frequent credential rotations, and resource-based policies. It provides better protection against attacks like a confused deputy.
  • OAC supports HTTP requests: GET, PUT, POST, PATCH, DELETE, OPTIONS, and HEAD.
  • Server-side encryption with AWS Key Management Service – SSE-KMS – and OAC supports downloading and uploading encrypted S3 objects.

Signing requests

When configuring OAC, you can choose among three signing behaviors – “Do not sign requests”, “Sign requests” and “Do not override authorization header”.

It’s recommended most customers use the “Sign requests” option as it ensures your applications will always work because CloudFront will always sign the incoming request.

CloudFront OAC set 2

You can choose this option if your client application always signs requests or if your S3 bucket is public. Note that the Do Not Sign Requests option is equivalent to not using origin access control. This option is useful when you want to change the OAC's signing options for a large number of CloudFront distributions.

If you configure the Sign requests option, the IAM CloudFront service principal signs each request using SigV4. The signature is then inserted along with other data to form the authorization header sent to your S3 origin. When your S3 origin receives this request, it takes steps to calculate the signature and compare it to the signature that CloudFront sends with the request.

“Do not override authorization header” option

If your client application can sign requests, and your use case involves switching between client-signed and CloudFront-signed Authorization headers based on attributes such as different caching behavior, file directories, HTTP methods, edge machine calls, etc.

SSE-KMS support

If you are using legacy OAI, your data is already protected in transit, and you can protect your data at rest using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).

If your organisation's policy requires that SSE-KMS encryption be used, you can use OAC to access SSE-KMS encrypted S3 objects.

You just need to configure your KMS policy to allow the CloudFront IAM principal to access your KMS keys with the simple

1. Go to the KMS console (select your region). 2. Select your customer-managed KMS key.

CloudFront OAC set KMS 1

3. Select the “Key policy” tab and click “Switch to policy view”.

CloudFront OAC set KMS 2

4. Edit the policy and add access to the CloudFront service principal.

a. Replace ACCOUNT_ID with the AWS account ID that contains the CloudFront distribution, S3 bucket, and the KMS key.
b. Replace DISTRIBUTION_ID with the ID of the CloudFront distribution.

{
        "Sid":"AllowCloudFrontServicePrincipalSSE-KMS",
        "Effect":"Allow",
        "Principal":{
            "AWS":"arn:aws:iam:: ACCOUNT_ID:root",
            "Service":"cloudfront.amazonaws.com"
        },
        "Action":[
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:GenerateDataKey*"
        ],
        "Resource":"*",
        "Condition":{
                "StringEquals": {
                    "AWS:SourceArn":"arn:aws:cloudfront::ACCOUNT_ID:distribution/DISTRIBUTION_ID"
                }
            }
}

Can you use the S3 bucket static website endpoint and OAC?

It stays the same as for the OAI (origin access identity): you cannot use origin access control (OAC) with the S3 bucket website endpoint.

These two functions do not work together because you are only able to set the OAC for the S3 bucket directly, for example, you choose this origin domain in CloudFront distribution:

test-bucket-website-stormit-2022.s3.eu-central-1.amazonaws.com

And if you use an S3 website endpoint, you are not able to enable OAC, for example like this:

test-bucket-website-stormit-2022.s3-website.eu-central-1.amazonaws.com

One of the main reasons to use the S3 static website hosting function is that you can useredirection rules. This will not work if you use the OAC function in CloudFront.

But there is a way to set permissions when using CloudFront and the S3 website endpoint through [restricting access to files on CloudFront custom origins or serving private content with signed URLs and signed cookies.

Do I need to migrate to OAC?

At this point, there are a lot of customers that are using OAI in their environment. It’s recommended you use OAC for its latest security and some additional functionalities, but CloudFront at this moment supports both the OAC and OAI.

OAI will only be supported in existing AWS regions and regions launched before December 2022.

So there is no hurry to migrate from OAI to OAC. But if you have a distribution configured to use OAI, you can easily migrate the distribution to OAC with a few simple clicks. It’s best to leave the OAI bucket policy until your CloudFront distribution will be deployed after updating.

OAC set up for CloudFront distributions

Configure OAC when creating a CloudFront distribution

1. Log in to the CloudFront Console.

2. Click on “Create Distribution”.

3. Select your S3 bucket as the origin domain.

CloudFront OAC setup 1

4. Choose “Origin access control settings” and click on “Create control setting”.

CloudFront OAC setup 2

5. You can leave a name as default. In a majority of cases, you can leave “Signing behavior” as “Sign requests”, but you can read more about this option in the previous part of this article. Click on “Create”.

CloudFront OAC setup 3

6. It’s also good to select “Redirect HTTP to HTTPS” or “HTTPS only” for this type of distribution.

CloudFront OAC setup 4

7. We can leave everything else on default and click on “Create distribution”.

8. You should see a blue panel in the upper part of your browser window.

a. Click on “Copy policy” and click on “Go to S3 bucket permissions to update policy”.

CloudFront OAC setup 4

b. If you unintentionally close this panel, you’ll find this new S3 bucket policy in the settings of your new CloudFront distribution, under “Origins”, then click on “Edit”.

CloudFront OAC setup 4

c. And here it is under Bucket policy.

CloudFront OAC setup 5

9. Go to S3 bucket permissions and click “Edit” next to Bucket policy.

CloudFront OAC setup 6

10. Copy the policy inside and click on “Save changes”. You can delete a policy for anonymous access if you have it here.

Here is my policy as an example:

{
    "Version":"2008-10-17",
    "Id":"PolicyForCloudFrontPrivateContent",
    "Statement":[
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect":"Allow",
            "Principal":{
                "Service":"cloudfront.amazonaws.com"
            },
            "Action":"s3:GetObject",
            "Resource":"arn:aws:s3:::test-bucket-main-2022/*",
            "Condition":{
                "StringEquals":{
                  "AWS:SourceArn":"arn:aws:cloudfront::913877976938:distribution/E28H6NNXS8GTVO"
                }
            }
        }
    ]
}

11. You should also block public access to the S3 bucket.

OAI migrating and configuring OAC for existing CloudFront distributions and S3 bucket

This manual can also be used for users that need to migrate from OAI to OAC, but we recommend leaving the OAI S3 bucket policy until your CloudFront distribution is updated and deployed successfully, then you can delete the OAI bucket policy in your S3 bucket.

1. Log in to the CloudFront Console.

2. If you already have an OAC, you can use it. If you don’t you can create it by clicking on “Origin access” in the left panel.

cloudfront oorigin access settings

3. Next click on “Create control setting”.

cloudfront oorigin access settings 1

4. Fill in the name. In a majority of cases, you can leave “Signing behavior” as “Sign requests”, but you can read more about this option in the previous part of this article. Click on “Create”.

cloudfront oorigin access settings 3

5. Go to your CloudFront distributions and select the one that has an S3 origin and that you want to enable OAC for it.

6. Choose the “Origins” tab. Select the Amazon S3 origin, and then choose “Edit”.

cloudfront oorigin access settings 3

7. Choose “Origin access control settings” and for the Origin access control select the previously created OAC – NewOAC. Click on Copy policy and go to S3 bucket permissions.

cloudfront oorigin access settings 3

8. In S3 bucket permissions, click “Edit” next to Bucket policy.

cloudfront oorigin access settings 3

9. Copy the policy inside and click on “Save changes”. You can delete a policy for anonymous access if you have it here.

cloudfront oorigin access settings 3

10. Go back to the CloudFront settings tab in your browser and choose “Save changes”. Note that it can take a while for the change to take effect.

11. Do not forget to block all public access in permissions for your S3 bucket.

Conclusion

CloudFront origin access control is now available globally. This blog post tried to describe what it is for and how it is different from OAI. Now it’s on you if you want to start using it or migrate to this function from OAI. We have looked at how to start using it through the AWS Management console but you can also start using OAC through the API, SDK, or CLI.

Are you ready to accelerate your business to the cloud?

Contact us

Similar blog posts

See all posts
CategoryCase Studies

InScope Choses StormIT and AWS for Deployment of their AML Solution

InScope chose to migrate its core technology platform to Amazon Web Services, a cloud leader in Infrastructure & Platform Services

Find out more
CategoryArticles

What is a Web Application Firewall (WAF) and Why Use it?

What is the difference between a firewall and a web application firewall (WAF) and what are the benefits of WAF. Learn more...

Find out more
CategoryArticles

AWS Instance Scheduler: Everything you Need to Know and Tutorial

What is the AWS Instance Scheduler? Deployment of the AWS Instance Scheduler solution. Learn more

Find out more
CategoryArticles

Scalability in Cloud Computing: Horizontal vs. Vertical Scaling

Look deeper into horizontal and vertical scaling and also into AWS scalability and which services you can use.

Find out more
CategoryArticles

Does Putting CloudFront in Front of API Gateway Make Sense?

Learn about API Gateway endpoint types and the difference between Edge-optimized API gateway and API Gateway with CloudFront distribution.

Find out more
CategoryCase Studies

Windy - The Extraordinary Tool for Weather Forecast Visualization

StormIT helps Windy optimize their Amazon CloudFront CDN costs to accommodate for the rapid growth.

Find out more