How do I allow access to an Amazon S3 bucket only from a CloudFront distribution?

Last updated: 2019-05-31

I want to restrict access to my Amazon Simple Storage Service (Amazon S3) bucket so that objects can be accessed only through an Amazon CloudFront distribution. How can I do that? 


To allow access to your Amazon S3 bucket only from a CloudFront distribution, first add an origin access identity (OAI) to your distribution. Then, review your bucket policy and Amazon S3 access control list (ACL) to be sure that:

  • Only the OAI can access your bucket.
  • CloudFront can access the bucket on behalf of requesters.
  • Users can't access the objects in other ways, such as by using Amazon S3 URLs.

Note: After you restrict access to your bucket using CloudFront, you can optionally add another layer of security by integrating AWS WAF.

Did this article help you?

Anything we could improve?

Need more help?