How do I allow access to an Amazon S3 bucket only from a CloudFront distribution?
Last updated: 2019-05-31
I want to restrict access to my Amazon Simple Storage Service (Amazon S3) bucket so that objects can be accessed only through an Amazon CloudFront distribution. How can I do that?
To allow access to your Amazon S3 bucket only from a CloudFront distribution, first add an origin access identity (OAI) to your distribution. Then, review your bucket policy and Amazon S3 access control list (ACL) to be sure that:
- Only the OAI can access your bucket.
- CloudFront can access the bucket on behalf of requesters.
- Users can't access the objects in other ways, such as by using Amazon S3 URLs.
Note: After you restrict access to your bucket using CloudFront, you can optionally add another layer of security by integrating AWS WAF.