Menu
Using AWS I am quite comfortable with the following scenario:
example.com as a static web site.example.com on CloudFront.However as you know it would still possible to directly access the web site under its alternate URL directly from the S3 bucket using HTTP. I would like to prevent users from directly accessing the S3 bucket URL.
Several tutorials on the web, including the CloudFront documentation, say that I need to create an Origin Access Identity (OAI) and restrict access to the S3 bucket only to the CloudFront distribution using that OAI. However this documentation also says that I can't use OAI with an S3 bucket set up as a static website endpoint.
So that leaves me with a couple of questions that aren't clear to me from the documentation:
example.com, once I connect it to CloudFront using an OAI, will I still be able to access the S3 bucket content via CloudFront over HTTPS? That is, does CloudFront provide "static web site accesss" to my S3 bucket even though I've turned off static website hosting for the bucket?foo.html to bar.html for example. If I turn off static web site hosting for my S3 bucket, how do I set up redirects? Does CloudFront provide similar routing rules that I can configure, or is there another way to accomplish this?
543
By default, your Amazon S3 bucket and all the files in it are private—only the Amazon account that created the bucket has permission to read or write the files. If you want to allow anyone to access the files in your Amazon S3 bucket using CloudFront URLs, you must grant public read permissions to the objects.
Open the CloudFront console. Choose Create Distribution. Under Origin, for Origin domain, choose your S3 bucket's REST API endpoint from the dropdown list. Or, enter your S3 bucket's website endpoint.
To use a bucket that is complete private the „Restrict Bucket Access“ must be yes. CloudFront now uses signed URL´s for requesting new assets and you must use an existing identity or let CloudFront create a new one. CloudFront can update your bucket policy or you can do it by your own.
It's a best practice to use SSL (HTTPS) for your website. To use a custom domain with HTTPS, select Custom SSL certificate. You can choose Request certificate to request a new certificate. If you aren't using a custom domain, then you can still use HTTPS with the cloudfront.net domain name for your distribution.
The other ways to restrict access to S3 website endpoint from CloudFront are:
S3 bucket policy to allow access only from CloudFront IP addresses. CloudFront IP addresses : CloudFront IP range
Create S3 policy based on conditions such as Referer and Whitelist Referer header on CloudFront, this only works if you're serving assets from CloudFront, not the main index page as main index page won't have the Referer header in the request.
If you use S3 rest api endpoint instead of s3 website endpoint as an origin, your website will still work on HTTPS (SSL terminates on CloudFront) but there are couple of problem:
For your question of foo.html and bar.html, you need to use Lambda@edge function to change the URI with origin request function.
Lambda@edge examples
132
will I still be able to access the S3 bucket content via CloudFront over HTTPS?
Yes, but cloudfront will access the origin bucket through authenticated S3 API requests instead of generic http requests.
When configuring an S3 bucket for static web site hosting, S3 allows me to set up "routing rules" to redirect foo.html to bar.html for example. If I turn off static web site hosting for my S3 bucket, how do I set up redirects?
I don't know of a way to do it in CloudFront. I continue to host my assets on an s3 website for that reason.
I would like to prevent users from directly accessing the S3 bucket URL.
I was willing to give that up to maintain some of the functionality I wanted from s3 bucket hosting. It's a tradeoff you'll have to decide for yourself which is more important.
28
"Static website hosting" feature of S3 bucket only affects redirect rules (see below). But it does not affect visibility of your website by alternative URL. So, if you are using CloudFront and OAI - you should make S3 bucket private, then it will be accessible only via CloudFront.
If you enable "Static website hosting" in S3 you will be able to:
Conclusion: enabling "Static website hosting" is not required when serving traffic via CloudFront.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
