Roquiya shows you how to
allow access to your bucket only
from a CloudFront distribution


I want to restrict access to my Amazon Simple Storage Service (Amazon S3) bucket so that objects can be accessed only through an Amazon CloudFront distribution. How can I do that?

To allow access to your Amazon S3 bucket only from a CloudFront distribution, first add an origin access identity (OAI) to your distribution. Then, review your bucket policy and Amazon S3 access control list (ACL) to be sure that:

  • Only the OAI can access your bucket.
  • CloudFront can access the bucket on behalf of requesters.
  • Users can't access the objects in other ways, such as by using Amazon S3 URLs.

Note: After you restrict access to your bucket using CloudFront, you can optionally add another layer of security by integrating AWS WAF. For more information, see Getting Started with AWS WAF.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-07-30