Case study

Amazon Cloudfront Origin Access Identity (OAI): What it is and How to Use it?

CategoryArticles

Amazon Cloudfront Origin Access Identity (OAI): What it is and How to Use it?

In this article, you will learn:

When you set up an Amazon S3 bucket as the origin of an Amazon CloudFront distribution, you give everyone permission to read the files in the bucket (public access). This allows anyone to access your files through CloudFront or using an Amazon S3 URL. CloudFront doesn't expose Amazon S3 URLs, but if your application serves any files directly from Amazon S3, or if someone provides a direct link to a specific file in Amazon S3, your users may still find these URLs.

In this blog post, you'll learn about CloudFront origin access identities, which address the need to secure and restrict public access to S3 buckets behind a CloudFront distribution.

What is Amazon CloudFront origin access identity (OAI)?

Amazon CloudFront OAI is a simple function of CloudFront distribution that you can enable when you select S3 buckets as origin. If you don’t use an OAI, the S3 bucket must allow public access.

OAI prevents users from viewing your S3 files by simply using the direct URL for the file, for example:

https://app-private-bucket-stormit.s3.eu-central-1.amazonaws.com/pics/logo.png

Your users can only use the URL of your CloudFront distribution, for example:

https://d2whx7jax6hbi5.cloudfront.net/pics/logo.png

S3 bucket static website endpoint and OAI

You cannot set OAI for the S3 bucket website endpoint.

These two functions do not work together because you are only able set the OAI for S3 bucket directly:

test-bucket-website-stormit-2022.s3.eu-central-1.amazonaws.com

And you are not able to enable it for its website endpoint:

test-bucket-website-stormit-2022.s3-website.eu-central-1.amazonaws.com

One of the main reasons for using the S3 static website hosting function is that you can very simply use redirection rules. This will not work if you use the OAI function in CloudFront.

The only way to set permissions when using CloudFront and the S3 website endpoint is through restricting access to files on CloudFront custom origins or serving private content with signed URLs and signed cookies.

How does CloudFront OAI work?

1. CloudFront OAI works by first creating a CloudFront user/permission called an origin access identity (OAI) and associating it with your distribution.

2. Then it gives the OAI permission to read the files in your S3 bucket.

3. You can then remove permission for anyone else to use Amazon S3 URLs to read the files.

34-Cloudfront-OAI-6.png

Why should you use CloudFront S3 OAI?

So essentially what we don't want is users to be able to browse to our S3 bucket using the S3 URL. We want to force them to use the CloudFront URL. With an OAI, CloudFront sends authenticated requests to your S3 bucket. This means you can block public access to your S3 bucket while still allowing CloudFront to get objects from the bucket instead of going directly to your origin. Furthermore:

  • Data are more secure and it’s simpler to monitor who has access to that data.
  • Access to your files should be generally faster when only CloudFront URL is used to deliver your objects instead of S3 because the objects are copied to the edge in order to be stored closer to your users.
  • It can help you reduce the overall costs of Data transfer out, because serving data directly from S3 costs more than serving them through CloudFront distribution.

Save up to 60% on your CloudFront costs with StormIT optimized pricing.

Estimate savings

Set up OAI for new CloudFront distributions

Let’s assume that we have an S3 bucket with videos that we need to share publicly through CloudFront distribution. We also need to cost optimize data transfer out and hide our S3 URLs, so we need to be sure that our users are only using CloudFront URLs.

34-Cloudfront-OAI-16.png

1. Log in to the CloudFront Console.

2. Click on “Create Distribution”.

3. Select S3 bucket as origin domain, choose “Yes use OAI” and click on “Create new OAI”.

34-Cloudfront-OAI-7.png

4. Name your OAI and click “Create”.

5. Next you need to select “Yes, update the bucket policy”. This will update the policies for your S3 bucket. It’s going to add a code which ensures that only this CloudFront distribution has access to your files in S3 buckets.

34-Cloudfront-OAI-9.png

If you choose Yes, update the bucket policy, CloudFront updates S3 bucket permissions to grant the specified OAI permission to read files in your bucket. However, CloudFront does not remove existing permissions. If you want to manually update permissions on your Amazon S3 bucket, choose No, I will update the bucket policy.

Example of CloudFront OAI S3 bucket policy:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
      {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E315IEIAPWW6YR"       },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::test-bucket-website-stormit-2022/*"
    }
  ]
}

6. It’s also good to select “Redirect HTTP to HTTPS” or “HTTPS only” for this type of distribution.

7. You can leave everything else as default. Click on “Create distribution”.

8. Do not forget to block all public access in permissions for your S3 bucket. You should also see a new bucket policy.

34-Cloudfront-OAI-11.png

Set up OAI for existing CloudFront distributions

1. Log in to the CloudFront Console.

2. If you already have an OAI, you can use it. If you don’t you can create it by clicking on “Origin access identities”.

3. Next click on “Create origin access identity”.

4. Name your OAI and click on “Create”.

5. Go back to CloudFront distributions and select the one that has an S3 origin.

34-Cloudfront-OAI-4.png

6. Choose the “Origins” tab. Select the Amazon S3 origin, and then choose “Edit”.

34-Cloudfront-OAI-3.png

7. For S3 bucket access, choose “Yes use OAI”. Select an OAI and “Yes, update the bucket policy”.

34-Cloudfront-OAI-5.png

8. Choose “Save changes”. Note that it can take a while for the change to take effect and the CloudFront URLs to be used instead of the S3 URLs.

9. Do not forget to block all public access in permissions for your S3 bucket.

Are you ready to accelerate your business to the cloud?

Contact us

Similar blog posts

See all posts
CategoryArticles

Amazon Route 53: Health Checks and DNS Failover

Learn about AWS Route 53 health-checking features and how to only route traffic to healthy AWS resources.

Find out more
CategoryCase Studies

InScope Choses StormIT and AWS for Deployment of their AML Solution

InScope chose to migrate its core technology platform to Amazon Web Services, a cloud leader in Infrastructure & Platform Services

Find out more
CategoryArticles

Scalability in Cloud Computing: Horizontal vs. Vertical Scaling

Look deeper into horizontal and vertical scaling and also into AWS scalability and which services you can use.

Find out more
CategoryArticles

What is a Web Application Firewall (WAF) and Why Use it?

What is the difference between a firewall and a web application firewall (WAF) and what are the benefits of WAF. Learn more...

Find out more
CategoryArticles

Origin Shield: How does it Help to Protect Your Origin?

Learn what Origin Shield is, its use cases, benefits, and how it improves the performance of a CloudFront distribution.

Find out more
CategoryArticles

AWS Instance Scheduler: Everything you Need to Know and Tutorial

What is the AWS Instance Scheduler? Deployment of the AWS Instance Scheduler solution. Learn more

Find out more