Search

Amazon Cloudfront Origin Access Identity (OAI): What it is and How to Use it?

In this article, you will learn:

When you set up an Amazon S3 bucket as the origin of an Amazon CloudFront distribution, you give everyone permission to read the files in the bucket (public access). This allows anyone to access your files through CloudFront or using an Amazon S3 URL. CloudFront doesn't expose Amazon S3 URLs, but if your application serves any files directly from Amazon S3, or if someone provides a direct link to a specific file in Amazon S3, your users may still find these URLs.


In this blog post, you'll learn about CloudFront origin access identities, which address the need to secure and restrict public access to S3 buckets behind a CloudFront distribution.




What is Amazon CloudFront origin access identity (OAI)?

Amazon CloudFront OAI is a simple function of CloudFront distribution that you can enable when you select S3 buckets as origin. If you don’t use an OAI, the S3 bucket must allow public access.


OAI prevents users from viewing your S3 files by simply using the direct URL for the file, for example:

https://app-private-bucket-stormit.s3.eu-central-1.amazonaws.com/pics/logo.png


Your users can only use the URL of your CloudFront distribution, for example: https://d2whx7jax6hbi5.cloudfront.net/pics/logo.png

S3 bucket static website endpoint and OAI

You cannot set OAI for the S3 bucket website endpoint.

These two functions do not work together because you are only able set the OAI for S3 bucket directly:


test-bucket-website-stormit-2022.s3.eu-central-1.amazonaws.com


And you are not able to enable it for its website endpoint:


test-bucket-website-stormit-2022.s3-website.eu-central-1.amazonaws.com


One of the main reasons for using the S3 static website hosting function is that you can very simply use redirection rules. This will not work if you use the OAI function in CloudFront.


The only way to set permissions when using CloudFront and the S3 website endpoint is through restricting access to files on CloudFront custom origins or serving private content with signed URLs and signed cookies.


How does CloudFront OAI work?

1. CloudFront OAI works by first creating a CloudFront user/permission called an origin access identity (OAI) and associating it with your distribution.

2. Then it gives the OAI permission to read the files in your S3 bucket.

3. You can then remove permission for anyone else to use Amazon S3 URLs to read the files.

cloudfront oai schema

Why should you use CloudFront S3 OAI?

So essentially what we don't want is users to be able to browse to our S3 bucket using the S3 URL. We want to force them to use the CloudFront URL. With an OAI, CloudFront sends authenticated requests to your S3 bucket. This means you can block public access to your S3 bucket while still allowing CloudFront to get objects from the bucket instead of going directly to your origin. Furthermore:

  • Data are more secure and it’s simpler to monitor who has access to that data.

  • Access to your files should be generally faster when only CloudFront URL is used to deliver your objects instead of S3 because the objects are copied to the edge in order to be stored closer to your users.

  • It can help you reduce the overall costs of Data transfer out, because serving data directly from S3 costs more than serving them through CloudFront distribution.

Save up to 60% on your CloudFront costs with StormIT optimized pricing.


Set up OAI for new CloudFront distributions

Let’s assume that we have an S3 bucket with videos that we need to share publicly through CloudFront distribution. We also need to cost optimize data transfer out and hide our S3 URLs, so we need to be sure that our users are only using CloudFront URLs.


cloudfront origin access identity schema

1. Log in to the CloudFront Console.

2. Click on “Create Distribution”.


3. Select S3 bucket as origin domain, choose “Yes use OAI” and click on “Create new OAI”.


4. Name your OAI and click “Create”.

5. Next you need to select “Yes, update the bucket policy”. This will update the policies for your S3 bucket. It’s going to add a code which ensures that only this CloudFront distribution has access to your files in S3 buckets.


If you choose Yes, update the bucket policy, CloudFront updates S3 bucket permissions to grant the specified OAI permission to read files in your bucket. However, CloudFront does not remove existing permissions. If you want to manually update permissions on your Amazon S3 bucket, choose No, I will update the bucket policy.


Example of CloudFront OAI S3 bucket policy:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E315IEIAPWW6YR"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::test-bucket-website-stormit-2022/*"
        }
    ]
}

6. It’s also good to select “Redirect HTTP to HTTPS” or “HTTPS only” for this type of distribution.


7. You can leave everything else as default. Click on “Create distribution”.


8. Do not forget to block all public access in permissions for your S3 bucket. You should also see a new bucket policy.


Set up OAI for existing CloudFront distributions

1. Log in to the CloudFront Console.

2. If you already have an OAI, you can use it. If you don’t you can create it by clicking on “Origin access identities”.


3. Next click on “Create origin access identity”.


4. Name your OAI and click on “Create”.


5. Go back to CloudFront distributions and select the one that has an S3 origin.


6. Choose the “Origins” tab. Select the Amazon S3 origin, and then choose “Edit”.


7. For S3 bucket access, choose “Yes use OAI”. Select an OAI and “Yes, update the bucket policy”.


8. Choose “Save changes”. Note that it can take a while for the change to take effect and the CloudFront URLs to be used instead of the S3 URLs.