Protecting S3 Objects in Cloudfront Distribution

Preventing Public Access to S3 Bucket Objects

Prev Question Next Question

Question

A company is planning to use a Cloudfront Distribution.

The origin will be an S3 bucket.

They want to ensure that users cannot access the objects in the S3 bucket via the public URL of the bucket objects.

How can you accomplish this?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

Options B and C are invalid because you need to set a bucket policy and not an IAM policy for this sort of access.

Option D is invalid because you need to set a Cloudfront Origin Identity and not a separate IAM user.

The AWS Documentation mentions the following.

When you create or update a distribution, you can add an origin access identity and automatically update the bucket policy to give the origin access identity permission to access your bucket.

Alternatively, you can choose to manually change the bucket policy or change ACLs, which control permissions on individual objects in your bucket.

Whichever method you use, you should still review the bucket policy for your bucket and review the permissions on your objects to ensure that:

· CloudFront can access objects in the bucket on behalf of users who are requesting your objects through CloudFront.

· Users can't use Amazon S3 URLs to access your objects.

For more information on using Cloudfront Origin Access Identity, please visit the following URL:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

The correct answer is A: Create a Cloudfront Origin Identity that has access via the bucket policy.

When a CloudFront distribution is used with an S3 bucket, it is recommended to use an origin access identity (OAI) to restrict access to the objects in the S3 bucket.

An origin access identity is an Amazon CloudFront feature that allows access to a specific S3 bucket. When an OAI is used with a CloudFront distribution, the distribution can only access the objects in the S3 bucket that are allowed by the bucket policy. The bucket policy should only allow access to the OAI, not the general public.

To accomplish this, follow these steps:

  1. Create a new CloudFront distribution with the S3 bucket as the origin.
  2. Create a new origin access identity for the CloudFront distribution.
  3. Modify the bucket policy to grant access to the origin access identity only. The following is an example bucket policy:
json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Grant access to CloudFront origin identity", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXX" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket-name/*" } ] }
  1. Update the CloudFront distribution to use the new origin access identity.
  2. Test the CloudFront distribution to ensure that it can access the objects in the S3 bucket, and that the general public cannot access them via the bucket's public URL.

Option B is incorrect because IAM policies cannot be used to restrict access to objects in an S3 bucket when using CloudFront.

Option C is incorrect because the CloudFront origin access identity should have access via the bucket policy, not the IAM policy.

Option D is incorrect because creating a separate IAM user does not provide any additional benefits compared to using an origin access identity, and it adds unnecessary complexity.