Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Clarifications on serving non website S3 bucket via CloudFront as web site

Tags:

amazon-web-services

amazon-s3

amazon-cloudfront

Using AWS I am quite comfortable with the following scenario:

  • Set up S3 bucket example.com as a static web site.
  • Create a distribution of example.com on CloudFront.
  • Use Route 53 and the certificate manager to allow browsing the S3 bucket content using HTTPS via CloudFront.

However as you know it would still possible to directly access the web site under its alternate URL directly from the S3 bucket using HTTP. I would like to prevent users from directly accessing the S3 bucket URL.

Several tutorials on the web, including the CloudFront documentation, say that I need to create an Origin Access Identity (OAI) and restrict access to the S3 bucket only to the CloudFront distribution using that OAI. However this documentation also says that I can't use OAI with an S3 bucket set up as a static website endpoint.

So that leaves me with a couple of questions that aren't clear to me from the documentation:

  • If I turn off static website access to my S3 bucket example.com, once I connect it to CloudFront using an OAI, will I still be able to access the S3 bucket content via CloudFront over HTTPS? That is, does CloudFront provide "static web site accesss" to my S3 bucket even though I've turned off static website hosting for the bucket?
  • When configuring an S3 bucket for static web site hosting, S3 allows me to set up "routing rules" to redirect foo.html to bar.html for example. If I turn off static web site hosting for my S3 bucket, how do I set up redirects? Does CloudFront provide similar routing rules that I can configure, or is there another way to accomplish this?
like image 543
Garret Wilson Avatar asked Oct 27 '19 00:10

Garret Wilson

People also ask

Does S3 bucket need to be public for CloudFront?

By default, your Amazon S3 bucket and all the files in it are private—only the Amazon account that created the bucket has permission to read or write the files. If you want to allow anyone to access the files in your Amazon S3 bucket using CloudFront URLs, you must grant public read permissions to the objects.

How do I access my S3 bucket from CloudFront?

Open the CloudFront console. Choose Create Distribution. Under Origin, for Origin domain, choose your S3 bucket's REST API endpoint from the dropdown list. Or, enter your S3 bucket's website endpoint.

Can CloudFront access a private S3 bucket?

To use a bucket that is complete private the „Restrict Bucket Access“ must be yes. CloudFront now uses signed URL´s for requesting new assets and you must use an existing identity or let CloudFront create a new one. CloudFront can update your bucket policy or you can do it by your own.

What is the easiest way to start serving the website via https?

It's a best practice to use SSL (HTTPS) for your website. To use a custom domain with HTTPS, select Custom SSL certificate. You can choose Request certificate to request a new certificate. If you aren't using a custom domain, then you can still use HTTPS with the cloudfront.net domain name for your distribution.

3 Answers

The other ways to restrict access to S3 website endpoint from CloudFront are:

  1. S3 bucket policy to allow access only from CloudFront IP addresses. CloudFront IP addresses : CloudFront IP range

  2. Create S3 policy based on conditions such as Referer and Whitelist Referer header on CloudFront, this only works if you're serving assets from CloudFront, not the main index page as main index page won't have the Referer header in the request.

If you use S3 rest api endpoint instead of s3 website endpoint as an origin, your website will still work on HTTPS (SSL terminates on CloudFront) but there are couple of problem:

  1. Redirection/Routing rules won't work with REST API endpoint.
  2. REST API endpoint doesn't automatically server index page example: if you access abc.com/path --> S3 static endpoint will redirect it to abc.com/path/index.html (Exception for abc.com --> abc.com/index.html which can be done on CloudFront by defining Root document)

For your question of foo.html and bar.html, you need to use Lambda@edge function to change the URI with origin request function.

Lambda@edge examples

like image 132
James Dean Avatar answered Oct 02 '22 21:10

James Dean

will I still be able to access the S3 bucket content via CloudFront over HTTPS?

Yes, but cloudfront will access the origin bucket through authenticated S3 API requests instead of generic http requests.

When configuring an S3 bucket for static web site hosting, S3 allows me to set up "routing rules" to redirect foo.html to bar.html for example. If I turn off static web site hosting for my S3 bucket, how do I set up redirects?

I don't know of a way to do it in CloudFront. I continue to host my assets on an s3 website for that reason.

I would like to prevent users from directly accessing the S3 bucket URL.

I was willing to give that up to maintain some of the functionality I wanted from s3 bucket hosting. It's a tradeoff you'll have to decide for yourself which is more important.

like image 28
Daniel Farrell Avatar answered Oct 03 '22 21:10

Daniel Farrell

"Static website hosting" feature of S3 bucket only affects redirect rules (see below). But it does not affect visibility of your website by alternative URL. So, if you are using CloudFront and OAI - you should make S3 bucket private, then it will be accessible only via CloudFront.

If you enable "Static website hosting" in S3 you will be able to:

  • forward "/" path to "/index.html". This is also possible with CloudFront.
  • forward not found pages to "/error.html". This is also possible with CloudFront.
  • have redirect rules. This is possible to achieve with Lambda @Edge in CloudFront.

Conclusion: enabling "Static website hosting" is not required when serving traffic via CloudFront.

like image 32
Maksym Moskvychev Avatar answered Oct 02 '22 21:10

Maksym Moskvychev
Sign in to Comment

Related questions

Allow CloudFront to access an S3 bucket with an origin access identity
Calculate size of items in my Amazon DynamoDB table
Is it possible to share a piece of code betwen AWS Lambda functions?
AWS Sagemaker unable to parse csv
(OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. Windows apache
Is Redis atomic when multiple clients attempt to read/write an item at the same time?
How to load the ena driver on Amazon AWS?
Load Parquet files into Redshift
Amazon CodeCommit credential helper - command not found
Check if a folder exists on S3 using node js aws-sdk
Transfer AISPL account to AWS account
Customization of Login Page Cognito
How to enable the CodeDeploy Agent on Amazon Linux 2?
Is lambda layers compatible with Go?
Best way to synchronise RDS DB and Cognito
AWS S3 presigned URL contains X-Amz-Security-Token
Is there a way to have AWS RDS Public Accessibility = No but still accessible outside of EC2 instance?
How to configure CloudFront using CloudFormation to set the 'Headers' property in 'ForwardedValues' to 'all'?
Can I configure my .ssh/config file to use my aws pem file as default for all ec2 connections
nginx logs from AWS say "HELP...batman"?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!