{"id":1211,"date":"2021-07-30T06:17:30","date_gmt":"2021-07-30T06:17:30","guid":{"rendered":"https:\/\/www.velaninfo.com\/rs\/?post_type=techtips&#038;p=1211"},"modified":"2021-10-04T11:23:36","modified_gmt":"2021-10-04T11:23:36","slug":"amzon-s3-cloudfront-bucket","status":"publish","type":"techtips","link":"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/","title":{"rendered":"How can I use CloudFront to limit access to an Amazon S3 bucket?"},"content":{"rendered":"<p><strong>How can I use CloudFront to limit access to an Amazon S3 bucket?<\/strong><\/p>\n<p>Amazon CloudFront is an <a href=\"https:\/\/www.velaninfo.com\/cloud-services\"><strong>Amazon Web Services<\/strong><\/a> content delivery network. Content delivery networks (CDNs) are a worldwide distributed network of proxy servers that cache content, such as online videos or other large files, closer to customers, boosting download speeds.<\/p>\n<p>Before you set up the restriction, make sure the CloudFront distribution&#8217;s S3 origin is set up as a REST API endpoint (VELAN-.s3.amazonaws.com). The following approach does not apply to S3 origins set up as website endpoints (VELAN-.s3-website-us-east-1.amazonaws.com).<\/p>\n<p><strong>Making a CloudFront ORIGIN ACCESS IDENTITY and putting it in the Distribution<\/strong><strong>\u00a0<\/strong><\/p>\n<p>Let&#8217;s have a look at how to build an Amazon CloudFront origin access identity and distribute it:<\/p>\n<ol>\n<li>Log in to the <a href=\"https:\/\/www.velaninfo.com\/rs\/tech-tips\/cloudflare\/\"><strong>CloudFront management console<\/strong><\/a>.<\/li>\n<li>Select the ID of a distribution that serves content from the S3 bucket that you want to restrict access to from the list of distributions.<\/li>\n<li>Select the Origins and Origin Groups tab from the drop-down menu.<\/li>\n<li>Select the check box next to the S3 origin, then select Edit.<\/li>\n<li>Select Yes for Restrict Bucket Access.<\/li>\n<li>Choose to Create a New Identity or Use an Existing Identity for Origin Access Identity (ORIGIN ACCESS IDENTITY).<\/li>\n<\/ol>\n<p>Choose to Use an Existing Identity if an ORIGIN ACCESS IDENTITY already exists. Then, under the Identities list, select the ORIGIN ACCESS IDENTITY.<\/p>\n<p>Choose to Create a New Identity to create an ORIGIN ACCESS IDENTITY. Then, in the Comment section, replace the bucket name with a custom description.<\/p>\n<ol start=\"7\">\n<li>Select Yes, Update Bucket Policy for Grant Read Permissions on Bucket.<\/li>\n<\/ol>\n<p><strong>Note:<\/strong> This step alters the S3 origin&#8217;s bucket policy to allow ORIGIN ACCESS IDENTITY<\/p>\n<p><strong>access to s3:<\/strong><\/p>\n<p><strong>GetObject<\/strong><\/p>\n<ol start=\"8\">\n<li>Then select Yes, Edit from the drop-down menu.<\/li>\n<\/ol>\n<p><strong>Examine your bucket policy.<\/strong><\/p>\n<ol>\n<li>Go to the Amazon S3 console and log in.<\/li>\n<li>Select the bucket that is the origin of the CloudFront distribution from the list of buckets.<\/li>\n<li>Navigate to the Permissions tab.<\/li>\n<li>Choose\u00a0on a bucket policy.<\/li>\n<li>Verify that a statement similar to the following is included in the Bucket policy editor:<\/li>\n<\/ol>\n<p><strong>{<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8220;Sid&#8221;: &#8220;1&#8221;,<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8220;Principal&#8221;: {<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8220;AWS&#8221;: &#8220;arn:aws:iam::cloudfront:user\/CloudFront Origin Access Identity EAF5XXXXXXXXX&#8221;<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 },<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8220;Action&#8221;: &#8220;s3:GetObject&#8221;,<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8220;Resource&#8221;: &#8220;arn:aws:s3:::VELAN-\/*&#8221;<\/strong><\/p>\n<p><strong>}<\/strong><\/p>\n<p>When we choose Yes, Update Bucket Policy as part of the ORIGIN ACCESS IDENTITY setup, CloudFront adds this statement to our bucket policy.<\/p>\n<ol start=\"6\">\n<li>Check the bucket policy for any sentences that include the word &#8220;effect&#8221;: \u201cDeny\u201d prohibits the CloudFront ORIGIN ACCESS IDENTITY from accessing the bucket. Change those statements to allow the CloudFront ORIGIN ACCESS IDENTITY to access the bucket&#8217;s objects.<\/li>\n<li>Check the bucket policy for any \u201cEffect\u201d: \u201cAllow\u201d statements that allow access to the bucket from any source other than the CloudFront ORIGIN ACCESS IDENTITY. We can change those statements to suit our needs.<\/li>\n<li>Also, if you&#8217;re using object ACLs to govern permissions, double-check that those files aren&#8217;t accessible outside of the CloudFront ORIGIN ACCESS IDENTITY by reviewing the object ACLs.We may optionally add another degree of security by using the AWS web application firewall after restricting access to the S3 bucket using the CloudFront ORIGIN ACCESS IDENTITY.<\/li>\n<\/ol>\n<p>At <strong>Velan<\/strong>, our server support engineers can helpto setup the restriction to access S3 buckets through cloudfront.\u00a0If you are interested in our service, please fill the <a href=\"https:\/\/www.velaninfo.com\/contact\"><strong>Quick connect form<\/strong><\/a> to get in touch with us.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How can I use CloudFront to limit access to an Amazon S3 bucket? Amazon CloudFront is an Amazon Web Services content delivery network. Content delivery networks (CDNs) are a worldwide distributed network of proxy servers that cache content, such as online videos or other large files, closer to customers, boosting download speeds. Before you set&#8230;<a class=\"continue-reading text-uppercase\" href=\"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/\"> Continue Reading <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.velaninfo.com\/rs\/wp-content\/themes\/velaninfo\/images\/reading_arw.png\" alt=\"Continue Reading\" width=\"16\" height=\"12\"\/><\/a><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"footnotes":""},"tags":[],"class_list":["post-1211","techtips","type-techtips","status-publish","hentry","Categories_tech_tip-aws","Categories_tech_tip-cloud","Categories_tech_tip-cloudfront"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v19.5 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Amazon CloudFront | AWS S3 and CloudFront Restrict Bucket Access<\/title>\n<meta name=\"description\" content=\"Amazon CloudFront is a Web Services content delivery network. S3 is object storage built to store and retrieve any amount of data from anywhere\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How can I use CloudFront to limit access to an Amazon S3 bucket?\" \/>\n<meta property=\"og:description\" content=\"Amazon CloudFront is a Web Services content delivery network. S3 is object storage built to store and retrieve any amount of data from anywhere\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/\" \/>\n<meta property=\"og:site_name\" content=\"Velan\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-04T11:23:36+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/techtips\\\/amzon-s3-cloudfront-bucket\\\/\",\"url\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/techtips\\\/amzon-s3-cloudfront-bucket\\\/\",\"name\":\"Amazon CloudFront | AWS S3 and CloudFront Restrict Bucket Access\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/#website\"},\"datePublished\":\"2021-07-30T06:17:30+00:00\",\"dateModified\":\"2021-10-04T11:23:36+00:00\",\"description\":\"Amazon CloudFront is a Web Services content delivery network. S3 is object storage built to store and retrieve any amount of data from anywhere\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/techtips\\\/amzon-s3-cloudfront-bucket\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/techtips\\\/amzon-s3-cloudfront-bucket\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/techtips\\\/amzon-s3-cloudfront-bucket\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Tech Tips\",\"item\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/techtips\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How can I use CloudFront to limit access to an Amazon S3 bucket?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/#website\",\"url\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/\",\"name\":\"Velan\",\"description\":\"Velaninfo Services India Pvt Ltd\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.velaninfo.com\\\/rs\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Amazon CloudFront | AWS S3 and CloudFront Restrict Bucket Access","description":"Amazon CloudFront is a Web Services content delivery network. S3 is object storage built to store and retrieve any amount of data from anywhere","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/","og_locale":"en_US","og_type":"article","og_title":"How can I use CloudFront to limit access to an Amazon S3 bucket?","og_description":"Amazon CloudFront is a Web Services content delivery network. S3 is object storage built to store and retrieve any amount of data from anywhere","og_url":"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/","og_site_name":"Velan","article_modified_time":"2021-10-04T11:23:36+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/","url":"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/","name":"Amazon CloudFront | AWS S3 and CloudFront Restrict Bucket Access","isPartOf":{"@id":"https:\/\/www.velaninfo.com\/rs\/#website"},"datePublished":"2021-07-30T06:17:30+00:00","dateModified":"2021-10-04T11:23:36+00:00","description":"Amazon CloudFront is a Web Services content delivery network. S3 is object storage built to store and retrieve any amount of data from anywhere","breadcrumb":{"@id":"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.velaninfo.com\/rs\/techtips\/amzon-s3-cloudfront-bucket\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.velaninfo.com\/rs\/"},{"@type":"ListItem","position":2,"name":"Tech Tips","item":"https:\/\/www.velaninfo.com\/rs\/techtips\/"},{"@type":"ListItem","position":3,"name":"How can I use CloudFront to limit access to an Amazon S3 bucket?"}]},{"@type":"WebSite","@id":"https:\/\/www.velaninfo.com\/rs\/#website","url":"https:\/\/www.velaninfo.com\/rs\/","name":"Velan","description":"Velaninfo Services India Pvt Ltd","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.velaninfo.com\/rs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/techtips\/1211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/techtips"}],"about":[{"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/types\/techtips"}],"author":[{"embeddable":true,"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/comments?post=1211"}],"version-history":[{"count":4,"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/techtips\/1211\/revisions"}],"predecessor-version":[{"id":1463,"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/techtips\/1211\/revisions\/1463"}],"wp:attachment":[{"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/media?parent=1211"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.velaninfo.com\/rs\/wp-json\/wp\/v2\/tags?post=1211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}