Configuring CloudFront for Secure Access to S3 Documentation Server

Secure Access to S3 Documentation Server

Prev Question Next Question

Question

You are building a large-scale confidential documentation web server on AWS such that all of its documentation will be stored on S3

One of the requirements is that it should not be publicly accessible from S3 directly.

CloudFront would be needed to accomplish this.

Which method would satisfy the outlined requirements?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B.

If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket, you probably want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs.

If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies.

For example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access the content.

Besides, if users access objects both through CloudFront and directly using Amazon S3 URLs, CloudFront access logs are less useful because they're incomplete.

To ensure that your users access your files using only CloudFront URLs, regardless of whether the URLs are signed, do the following:

Create an origin access identity, which is a special CloudFront user, and associate the origin access identity with your distribution.

You associate the origin access identity with origins so that you can secure all or just some of your Amazon S3 content.

You can also create an origin access identity and add it to your distribution when you create the distribution.

For more information, see Creating a CloudFront OAI and Adding it to Your Distribution.

Change the permissions either on your Amazon S3 bucket or on the files in your bucket so that only the origin access identity has read permission (or read and download permission)

When your users access your Amazon S3 files through CloudFront, the CloudFront origin access identity gets the files on behalf of your users.

If your users request files directly by using Amazon S3 URLs, they're denied access.

The origin access identity has permission to access files in your Amazon S3 bucket, but users don't.

For more information, see Granting the OAI Permission to Read Files in Your Amazon S3 Bucket.

For more information on Origin Access Identity, please visit the link below.

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

To make a confidential documentation web server on AWS, you can store all the documents on Amazon S3. However, to ensure that the documents are not publicly accessible from S3 directly, you need to use Amazon CloudFront.

Amazon CloudFront is a content delivery network that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, and no minimum usage commitments.

To satisfy the outlined requirements, you need to create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI. Option B is the correct answer.

Option A, creating an IAM User for CloudFront and granting access to the objects in your S3 bucket, is incorrect because IAM users are used to manage AWS services and resources, not to grant access to an S3 bucket.

Option C, creating individual policies for each bucket the documents are stored in, and granting access only to CloudFront in these policies, is incorrect because it would be cumbersome to maintain policies for each bucket, and it is unnecessary because you can use the OAI to grant access to all the objects in the bucket.

Option D, creating an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN), is incorrect because it would allow anyone with the CloudFront distribution ID to access the bucket, which is not a good practice for securing confidential data.

Therefore, the correct method to secure confidential documentation stored on S3 is to create an OAI for CloudFront and grant access to the objects in your S3 bucket to that OAI.