docs.aws.amazon.com Open in urlscan Pro
108.138.36.2  Public Scan

URL: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
Submission Tags: falconsandbox
Submission: On July 19 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. Amazon CloudFront
 5. Developer Guide

Feedback
Preferences


AMAZON CLOUDFRONT


DEVELOPER GUIDE

 * What is Amazon CloudFront?
    * Use cases
    * How CloudFront delivers content
    * Locations and IP address ranges of CloudFront edge servers
    * Accessing CloudFront
    * CloudFront pricing
       * Savings bundle
       * Choosing the price class for a CloudFront distribution

 * Getting started
    * Setting up
    * Getting started with a simple distribution
    * Getting started with a secure static website

 * Working with distributions
    * Overview of distributions
       * Actions you can use with distributions
       * Required fields for creating and updating distributions
   
    * Creating, updating, and deleting distributions
       * Steps for creating a distribution
       * Creating a distribution
       * Values that you specify
       * Values that are displayed
       * Testing a distribution
       * Updating a distribution
       * Tagging a distribution
       * Deleting a distribution
   
    * Using continuous deployment to safely test changes
    * Using various origins
    * Using custom URLs
    * Using WebSockets

 * Working with policies
    * Controlling the cache key
       * Using the managed cache policies
       * Understanding the cache key
   
    * Controlling origin requests
       * Using the managed origin request policies
       * Adding CloudFront request headers
       * Understanding how origin request policies and cache policies work
         together
   
    * Adding or removing response headers
       * Creating response headers policies
       * Using the managed response headers policies
       * Understanding response headers policies

 * Adding, removing, or replacing content
    * Adding and accessing content
    * Updating existing content
    * Removing content so CloudFront won’t distribute it
    * Customizing file URLs
    * Specifying a default root object
    * Invalidating files
    * Serving compressed files
    * Generating custom error responses

 * Configuring secure access and restricting access to content
    * Using HTTPS with CloudFront
       * Requiring HTTPS between viewers and CloudFront
       * Requiring HTTPS to a custom origin
       * Requiring HTTPS to an Amazon S3 origin
       * Supported protocols and ciphers between viewers and CloudFront
       * Supported protocols and ciphers between CloudFront and the origin
       * Charges for HTTPS connections
   
    * Using alternate domain names and HTTPS
       * Choosing how CloudFront serves HTTPS requests
       * Requirements for using SSL/TLS certificates with CloudFront
       * Quotas on using SSL/TLS certificates with CloudFront (HTTPS between
         viewers and CloudFront only)
       * Configuring alternate domain names and HTTPS
       * Determining the size of the public key in an SSL/TLS RSA certificate
       * Increasing the quotas for SSL/TLS certificates
       * Rotating SSL/TLS certificates
       * Reverting from a custom SSL/TLS certificate to the default CloudFront
         certificate
       * Switching from a custom SSL/TLS certificate with dedicated IP addresses
         to SNI
   
    * Restricting content with signed URLs and signed cookies
       * Overview of serving private content
       * Task list for serving private content
       * Specifying signers
       * Choosing between signed URLs and signed cookies
       * Using signed URLs
          * Creating a signed URL using a canned policy
          * Creating a signed URL using a custom policy
      
       * Using signed cookies
          * Setting signed cookies using a canned policy
          * Setting signed cookies using a custom policy
      
       * Using Linux commands and OpenSSL for base64 encoding and encryption
       * Code examples for signed URLs
          * Create a URL signature using Perl
          * Create a URL signature using PHP
          * Create a URL signature using C# and the .NET Framework
          * Create a URL signature using Java
   
    * Restricting access to an AWS origin
       * Restricting access to a MediaStore origin
       * Restricting access to an Amazon S3 origin
   
    * Restricting access to Application Load Balancers
    * Using AWS WAF to control access to your content
    * Geographically restricting content
    * Using field-level encryption to help protect sensitive data

 * Optimizing caching and availability
    * Caching with edge locations
    * Improving your cache hit ratio
    * Using Origin Shield
    * Increasing availability with origin failover
    * Managing cache expiration
    * Caching and query string parameters
    * Caching content based on cookies
    * Caching content based on request headers

 * Troubleshooting
    * Troubleshooting distribution issues
    * Troubleshooting error responses from your origin
       * HTTP 400 status code (Bad Request)
       * HTTP 500 status code (Lambda execution error)
       * HTTP 502 status code (Bad Gateway)
       * HTTP 502 status code (Lambda validation error)
       * HTTP 502 status code (DNS error)
       * HTTP 503 status code (Lambda limit exceeded)
       * HTTP 503 status code (Service Unavailable)
       * HTTP 504 status code (Gateway Timeout)
   
    * Load testing CloudFront

 * Request and response behavior
    * Request and response behavior for Amazon S3 origins
       * How CloudFront processes HTTP and HTTPS requests
   
    * Request and response behavior for custom origins
    * Request and response behavior for origin groups
    * Adding custom headers to origin requests
    * How range GETs are processed
    * How CloudFront processes HTTP 3xx status codes from your origin
    * How CloudFront processes and caches HTTP 4xx and 5xx status codes from
      your origin

 * Video on demand (VOD) and live streaming video
    * Delivering video on demand (VOD)
    * Delivering live streaming video

 * Customizing with edge functions
    * Customizing with CloudFront Functions
       * Tutorial: Creating a simple function
       * Writing function code (programming model)
          * Event structure
          * JavaScript runtime features
          * Example code
             * Add a Cache-Control header to the response
             * Add a cross-origin resource sharing (CORS) header to the response
             * Add cross-origin resource sharing (CORS) header to the request
             * Add security headers to the response
             * Add a True-Client-IP header to the request
             * Redirect the viewer to a new URL
             * Add index.html to request URLs that don’t include a file name
             * Validate a simple token in the request
      
       * Managing functions
          * Creating functions
          * Testing functions
          * Updating functions
          * Publishing functions
          * Associating functions with distributions
   
    * Customizing with Lambda@Edge
       * Get started creating and using Lambda@Edge functions
          * Tutorial: Creating a simple function
      
       * Setting IAM permissions and roles
       * Writing and creating functions
          * Writing functions for Lambda@Edge
          * Creating a Lambda@Edge function in the Lambda console
          * Editing a Lambda@Edge function
          * Creating Lambda@Edge functions and CloudFront triggers
            programmatically
      
       * Adding triggers
          * CloudFront events that can trigger a Lambda@Edge function
          * How to decide which CloudFront event to use to trigger a Lambda@Edge
            function
          * Adding triggers by using the Lambda console
          * Adding triggers by using the CloudFront console
      
       * Testing and debugging
       * Deleting functions and replicas
       * Event structure
       * Working with requests and responses
          * Using Lambda@Edge functions with origin failover
          * Generating HTTP responses in request triggers
          * Updating HTTP responses in origin response triggers
          * Accessing the request body by choosing the include body option
      
       * Example functions
   
    * Restrictions on edge functions

 * Reports, metrics, and logs
    * AWS billing and usage reports for CloudFront
       * Interpreting your AWS bill and the AWS usage report for CloudFront
   
    * CloudFront console reports
       * CloudFront cache statistics reports
       * CloudFront popular objects report
       * CloudFront top referrers report
       * CloudFront usage reports
       * CloudFront viewers reports
   
    * Monitoring CloudFront metrics with Amazon CloudWatch
       * Viewing CloudFront and edge function metrics
       * Creating alarms
       * Downloading metrics data
       * Getting metrics using the API
   
    * CloudFront and edge function logging
       * Using standard logs (access logs)
       * Real-time logs
       * Edge function logs
       * Capturing API requests with CloudTrail
   
    * Tracking configuration changes with AWS Config

 * Security
    * Data protection
    * Identity and Access Management
       * How Amazon CloudFront works with IAM
       * Identity-based policy examples
       * AWS managed policies
       * Troubleshooting
   
    * Logging and monitoring
    * Compliance validation
    * Resilience
    * Infrastructure security

 * Quotas
 * Related information
 * Document history
    * Updates before 2022

 * AWS glossary

Restricting access to an Amazon S3 origin - Amazon CloudFront
AWSDocumentationAmazon CloudFrontDeveloper Guide
Creating a new origin access controlMigrating from origin access identity (OAI)
to origin access control (OAC)Advanced settings for origin access controlUsing
an origin access identity (legacy, not recommended)


RESTRICTING ACCESS TO AN AMAZON S3 ORIGIN

PDFRSS

CloudFront provides two ways to send authenticated requests to an Amazon S3
origin: origin access control (OAC) and origin access identity (OAI). We
recommend using OAC because it supports:

 * All Amazon S3 buckets in all AWS Regions, including opt-in Regions launched
   after December 2022

 * Amazon S3 server-side encryption with AWS KMS (SSE-KMS)

 * Dynamic requests (PUT and DELETE) to Amazon S3

OAI doesn't work for the scenarios in the preceding list, or it requires extra
workarounds in those scenarios. The following topics describe how to use OAC
with an Amazon S3 origin. For information about how to migrate from OAI to OAC,
see Migrating from origin access identity (OAI) to origin access control (OAC).

NOTE

If your origin is an Amazon S3 bucket configured as a website endpoint, you must
set it up with CloudFront as a custom origin. That means you can't use OAC (or
OAI). However, you can restrict access to a custom origin by setting up custom
headers and configuring the origin to require them. For more information, see
Restricting access to files on custom origins.

Topics

 * Creating a new origin access control

 * Migrating from origin access identity (OAI) to origin access control (OAC)

 * Advanced settings for origin access control


CREATING A NEW ORIGIN ACCESS CONTROL

Complete the steps described in the following topics to set up a new origin
access control in CloudFront.

TOPICS

 * Prerequisites
 * Giving the origin access control permission to access the S3 bucket
 * Creating the origin access control


PREREQUISITES

Before you create and set up origin access control (OAC), you must have a
CloudFront distribution with an Amazon S3 bucket origin. This origin must be a
regular S3 bucket, not a bucket configured as a website endpoint. For more
information about setting up a CloudFront distribution with an S3 bucket origin,
see Getting started with a simple CloudFront distribution.


GIVING THE ORIGIN ACCESS CONTROL PERMISSION TO ACCESS THE S3 BUCKET

Before you create an origin access control (OAC) or set it up in a CloudFront
distribution, make sure the OAC has permission to access the S3 bucket origin.
Do this after creating a CloudFront distribution, but before adding the OAC to
the S3 origin in the distribution configuration.

To give the OAC permission to access the S3 bucket, use an S3 bucket policy to
allow the CloudFront service principal (cloudfront.amazonaws.com) to access the
bucket. Use a Condition element in the policy to allow CloudFront to access the
bucket only when the request is on behalf of the CloudFront distribution that
contains the S3 origin.

For information about adding or modifying a bucket policy, see Adding a bucket
policy using the Amazon S3 console in the Amazon S3 User Guide.

The following are examples of S3 bucket policies that allow a CloudFront OAC to
access an S3 origin.

EXAMPLE S3 BUCKET POLICY THAT ALLOWS READ-ONLY ACCESS TO A CLOUDFRONT OAC

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::<S3 bucket name>/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
            }
        }
    }
}

EXAMPLE S3 BUCKET POLICY THAT ALLOWS READ AND WRITE ACCESS TO A CLOUDFRONT OAC

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadWrite",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::<S3 bucket name>/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
            }
        }
    }
}

SSE-KMS

If the objects in the S3 bucket origin are encrypted using server-side
encryption with AWS Key Management Service (SSE-KMS), you must make sure that
the OAC has permission to use the AWS KMS key. To give the OAC permission to use
the KMS key, add a statement to the KMS key policy. For information about how to
modify a key policy, see Changing a key policy in the AWS Key Management Service
Developer Guide.

The following example shows a KMS key policy statement that allows the OAC to
use the KMS key.

EXAMPLE KMS KEY POLICY STATEMENT THAT ALLOWS A CLOUDFRONT OAC TO ACCESS A KMS
KEY FOR SSE-KMS

{
    "Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<AWS account ID>:root",
        "Service": "cloudfront.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*",
    "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
            }
        }
}


CREATING THE ORIGIN ACCESS CONTROL

To create an origin access control (OAC), you can use the AWS Management
Console, AWS CloudFormation, the AWS CLI, or the CloudFront API.

Console

TO CREATE AN ORIGIN ACCESS CONTROL

 1. Sign in to the AWS Management Console and open the CloudFront console at
    https://console.aws.amazon.com/cloudfront/v3/home.

 2. In the navigation pane, choose Origin access.

 3. Choose Create control setting.

 4. On the Create control setting form, do the following:
    
    1. In the Details pane, enter a Name and (optionally) a Description for the
       origin access control.
    
    2. In the Settings pane, we recommend that you leave the default setting
       (Sign requests (recommended)). For more information, see Advanced
       settings for origin access control.

 5. Choose S3 from the Origin type dropdown.

 6. Choose Create.
    
    After the OAC is created, make note of the Name. You need this in the
    following procedure.

TO ADD AN ORIGIN ACCESS CONTROL TO AN S3 ORIGIN IN A DISTRIBUTION

 1. Open the CloudFront console at
    https://console.aws.amazon.com/cloudfront/v3/home.

 2. Choose a distribution with an S3 origin that you want to add the OAC to,
    then choose the Origins tab.

 3. Select the S3 origin that you want to add the OAC to, then choose Edit.

 4. From the Origin access control dropdown menu, choose the OAC that you want
    to use.

 5. Choose Save changes.

The distribution starts deploying to all of the CloudFront edge locations. When
an edge location receives the new configuration, it signs all requests that it
sends to the S3 bucket origin.

CloudFormation

To create an origin access control (OAC) with AWS CloudFormation, use the
AWS::CloudFront::OriginAccessControl resource type. The following example shows
the AWS CloudFormation template syntax, in YAML format, for creating an origin
access control.

Type: AWS::CloudFront::OriginAccessControl
Properties: 
  OriginAccessControlConfig: 
      Description: An optional description for the origin access control
      Name: ExampleOAC
      OriginAccessControlOriginType: s3
      SigningBehavior: always
      SigningProtocol: sigv4

For more information, see AWS::CloudFront::OriginAccessControl in the AWS
CloudFormation User Guide.

CLI

To create an origin access control with the AWS Command Line Interface (AWS
CLI), use the aws cloudfront create-origin-access-control command. You can use
an input file to provide the input parameters for the command, rather than
specifying each individual parameter as command line input.

TO CREATE AN ORIGIN ACCESS CONTROL (CLI WITH INPUT FILE)

 1. Use the following command to create a file that's named
    origin-access-control.yaml. This file contains all of the input parameters
    for the create-origin-access-control command.
    
    
    aws cloudfront create-origin-access-control --generate-cli-skeleton yaml-input > origin-access-control.yaml

 2. Open the origin-access-control.yaml file that you just created. Edit the
    file to add a name for the OAC, a description (optional), and change the
    SigningBehavior to always. Then save the file.
    
    For information about other OAC settings, see Advanced settings for origin
    access control.

 3. Use the following command to create the origin access control using the
    input parameters from the origin-access-control.yaml file.
    
    
    aws cloudfront create-origin-access-control --cli-input-yaml file://origin-access-control.yaml
    
    Make note of the Id value in the command output. You need it to add the OAC
    to an S3 bucket origin in a CloudFront distribution.

TO ATTACH AN OAC TO AN S3 BUCKET ORIGIN IN AN EXISTING DISTRIBUTION (CLI WITH
INPUT FILE)

 1. Use the following command to save the distribution configuration for the
    CloudFront distribution that you want to add the OAC to. The distribution
    must have an S3 bucket origin.
    
    
    aws cloudfront get-distribution-config --id <CloudFront distribution ID> --output yaml > dist-config.yaml

 2. Open the file that's named dist-config.yaml that you just created. Edit the
    file, making the following changes:
    
     * In the Origins object, add the OAC's ID to the field that's named
       OriginAccessControlId.
    
     * Remove the value from the field that's named OriginAccessIdentity, if one
       exists.
    
     * Rename the ETag field to IfMatch, but don't change the field's value.
    
    Save the file when finished.

 3. Use the following command to update the distribution to use the origin
    access control.
    
    
    aws cloudfront update-distribution --id <CloudFront distribution ID> --cli-input-yaml file://dist-config.yaml

The distribution starts deploying to all of the CloudFront edge locations. When
an edge location receives the new configuration, it signs all requests that it
sends to the S3 bucket origin.

API

To create an origin access control with the CloudFront API, use
CreateOriginAccessControl. For more information about the fields that you
specify in this API call, see the API reference documentation for your AWS SDK
or other API client.

After you create an origin access control you can attach it to an S3 bucket
origin in a distribution, using one of the following API calls:

 * To attach it to an existing distribution, use UpdateDistribution.

 * To attach it to a new distribution, use CreateDistribution.

For both of these API calls, provide the origin access control ID in the
OriginAccessControlId field, inside an origin. For more information about the
other fields that you specify in these API calls, see Values that you specify
when you create or update a distribution and the API reference documentation for
your AWS SDK or other API client.

anchoranchoranchoranchor
 * Console
 * CloudFormation
 * CLI
 * API

TO CREATE AN ORIGIN ACCESS CONTROL

 1. Sign in to the AWS Management Console and open the CloudFront console at
    https://console.aws.amazon.com/cloudfront/v3/home.

 2. In the navigation pane, choose Origin access.

 3. Choose Create control setting.

 4. On the Create control setting form, do the following:
    
    1. In the Details pane, enter a Name and (optionally) a Description for the
       origin access control.
    
    2. In the Settings pane, we recommend that you leave the default setting
       (Sign requests (recommended)). For more information, see Advanced
       settings for origin access control.

 5. Choose S3 from the Origin type dropdown.

 6. Choose Create.
    
    After the OAC is created, make note of the Name. You need this in the
    following procedure.

TO ADD AN ORIGIN ACCESS CONTROL TO AN S3 ORIGIN IN A DISTRIBUTION

 1. Open the CloudFront console at
    https://console.aws.amazon.com/cloudfront/v3/home.

 2. Choose a distribution with an S3 origin that you want to add the OAC to,
    then choose the Origins tab.

 3. Select the S3 origin that you want to add the OAC to, then choose Edit.

 4. From the Origin access control dropdown menu, choose the OAC that you want
    to use.

 5. Choose Save changes.

The distribution starts deploying to all of the CloudFront edge locations. When
an edge location receives the new configuration, it signs all requests that it
sends to the S3 bucket origin.






MIGRATING FROM ORIGIN ACCESS IDENTITY (OAI) TO ORIGIN ACCESS CONTROL (OAC)

To migrate from a legacy origin access identity (OAI) to an origin access
control (OAC), first update the S3 bucket origin to allow both the OAI and OAC
to access the bucket's content. This makes sure that CloudFront never loses
access to the bucket during the transition. To allow both OAI and OAC to access
an S3 bucket, update the bucket policy to include two statements, one for each
kind of principal.

The following example S3 bucket policy allows both an OAI and an OAC to access
an S3 origin.

EXAMPLE S3 BUCKET POLICY THAT ALLOWS READ-ONLY ACCESS TO AN OAI AND AN OAC

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipalReadOnly",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<S3 bucket name>/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
                }
            }
        },
        {
            "Sid": "AllowLegacyOAIReadOnly",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<S3 bucket name>/*"
        }
    ]
}

After you update the S3 origin's bucket policy to allow access to both OAI and
OAC, you can update the distribution configuration to use OAC instead of OAI.
For more information, see Creating a new origin access control.

After the distribution is fully deployed, you can remove the statement in the
bucket policy that allows access to the OAI. For more information, see Giving
the origin access control permission to access the S3 bucket.


ADVANCED SETTINGS FOR ORIGIN ACCESS CONTROL

The CloudFront origin access control feature includes advanced settings that are
intended only for specific use cases. Use the recommended settings unless you
have a specific need for the advanced settings.

Origin access control contains a setting named Signing behavior (in the
console), or SigningBehavior (in the API, CLI, and AWS CloudFormation). This
setting provides the following options:

Always sign origin requests (recommended setting)

We recommend using this setting, named Sign requests (recommended) in the
console, or always in the API, CLI, and AWS CloudFormation. With this setting,
CloudFront always signs all requests that it sends to the S3 bucket origin.

Never sign origin requests

This setting is named Do not sign requests in the console, or never in the API,
CLI, and AWS CloudFormation. Use this setting to turn off origin access control
for all origins in all distributions that use this origin access control. This
can save time and effort compared to removing an origin access control from all
origins and distributions that use it, one by one. With this setting, CloudFront
does not sign any requests that it sends to the S3 bucket origin.

WARNING

To use this setting, the S3 bucket origin must be publicly accessible. If you
use this setting with an S3 bucket origin that's not publicly accessible,
CloudFront cannot access the origin. The S3 bucket origin returns errors to
CloudFront and CloudFront passes those errors on to viewers.

Don't override the viewer (client) Authorization header

This setting is named Do not override authorization header in the console, or
no-override in the API, CLI, and AWS CloudFormation. Use this setting when you
want CloudFront to sign origin requests only when the corresponding viewer
request does not include an Authorization header. With this setting, CloudFront
passes on the Authorization header from the viewer request when one is present,
but signs the origin request (adding its own Authorization header) when the
viewer request doesn't include an Authorization header.

WARNING

To pass along the Authorization header from the viewer request, you must add the
Authorization header to a cache policy for all cache behaviors that use S3
bucket origins associated with this origin access control.


USING AN ORIGIN ACCESS IDENTITY (LEGACY, NOT RECOMMENDED)

CloudFront origin access identity (OAI) provides similar functionality as origin
access control (OAC), but it doesn't work for all scenarios. This is why we
recommend using OAC instead. Specifically, OAI doesn't support:

 * Amazon S3 buckets in all AWS Regions, including opt-in Regions

 * Amazon S3 server-side encryption with AWS KMS (SSE-KMS)

 * Dynamic requests (PUT, POST, or DELETE) to Amazon S3

 * New AWS Regions launched after December 2022

For information about how to migrating from OAI to OAC, see Migrating from
origin access identity (OAI) to origin access control (OAC).


OVERVIEW OF ORIGIN ACCESS IDENTITY

CloudFront origin access identity (OAI) provides similar functionality as origin
access control (OAC), but it doesn't work for all scenarios. This is why we
recommend using OAC instead. Specifically, OAI doesn't support:

 * Amazon S3 buckets in all AWS Regions, including opt-in Regions

 * Amazon S3 server-side encryption with AWS KMS (SSE-KMS)

 * Dynamic requests (PUT, POST, or DELETE) to Amazon S3

 * New AWS Regions launched after December 2022

For information about how to migrating from OAI to OAC, see Migrating from
origin access identity (OAI) to origin access control (OAC).

When you create an OAI or add one to a distribution with the CloudFront console,
you can automatically update the Amazon S3 bucket policy to give the OAI
permission to access your bucket. Alternatively, you can choose to manually
create or update the bucket policy. Whichever method you use, you should still
review the permissions to make sure that:

 * Your CloudFront OAI can access files in the bucket on behalf of viewers who
   are requesting them through CloudFront.

 * Viewers can't use Amazon S3 URLs to access your files outside of CloudFront.

IMPORTANT

If you configure CloudFront to accept and forward all of the HTTP methods that
CloudFront supports, make sure you give your CloudFront OAI the desired
permissions. For example, if you configure CloudFront to accept and forward
requests that use the DELETE method, configure your bucket policy to handle
DELETE requests appropriately so viewers can delete only files that you want
them to.

USING AMAZON S3 BUCKET POLICIES

You can give a CloudFront OAI access to files in an Amazon S3 bucket by creating
or updating the bucket policy in the following ways:

 * Using the Amazon S3 bucket's Permissions tab in the Amazon S3 console.

 * Using PutBucketPolicy in the Amazon S3 API.

 * Using the CloudFront console. When you add an OAI to your origin settings in
   the CloudFront console, you can choose Yes, update the bucket policy to tell
   CloudFront to update the bucket policy on your behalf.

If you update the bucket policy manually, make sure that you:

 * Specify the correct OAI as the Principal in the policy.

 * Give the OAI the permissions it needs to access objects on behalf of viewers.

For more information, see the following sections.

SPECIFY AN OAI AS THE PRINCIPAL IN A BUCKET POLICY

To specify an OAI as the Principal in an Amazon S3 bucket policy, use the OAI's
Amazon Resource Name (ARN), which includes the OAI's ID. For example:

"Principal": {
    "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
}

To find the OAI's ID, see the Origin access identities page in the CloudFront
console, or use ListCloudFrontOriginAccessIdentities in the CloudFront API.

GIVE PERMISSIONS TO AN OAI

To give the OAI the permissions to access objects in your Amazon S3 bucket, use
actions in the policy that relate to specific Amazon S3 API operations. For
example, the s3:GetObject action allows the OAI to read objects in the bucket.
For more information, see the examples in the following section, or see Amazon
S3 actions in the Amazon Simple Storage Service User Guide.

AMAZON S3 BUCKET POLICY EXAMPLES

The following examples show Amazon S3 bucket policies that allow CloudFront OAI
to access an S3 bucket.

To find the OAI's ID, see the Origin access identities page in the CloudFront
console, or use ListCloudFrontOriginAccessIdentities in the CloudFront API.

EXAMPLE AMAZON S3 BUCKET POLICY THAT GIVES THE OAI READ ACCESS

The following example allows the OAI to read objects in the specified bucket
(s3:GetObject).

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<S3 bucket name>/*"
        }
    ]
}

EXAMPLE AMAZON S3 BUCKET POLICY THAT GIVES THE OAI READ AND WRITE ACCESS

The following example allows the OAI to read and write objects in the specified
bucket (s3:GetObject and s3:PutObject). This allows viewers to upload files to
your Amazon S3 bucket through CloudFront.

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<S3 bucket name>/*"
        }
    ]
}

USING AMAZON S3 OBJECT ACLS (NOT RECOMMENDED)

IMPORTANT

We recommend using Amazon S3 bucket policies to give an OAI access to an S3
bucket. You can use ACLs as described in this section, but we don't recommend
it.

Amazon S3 recommends setting S3 Object Ownership to bucket owner enforced, which
means that ACLs are disabled for the bucket and the objects in it. When you
apply this setting for Object Ownership, you must use bucket policies to give
access to the OAI (see the previous section).

This following section is only for legacy use cases that require ACLs.

You can give a CloudFront OAI access to files in an Amazon S3 bucket by creating
or updating the file's ACL in the following ways:

 * Using the Amazon S3 object's Permissions tab in the Amazon S3 console.

 * Using PutObjectAcl in the Amazon S3 API.

When you grant access to an OAI using an ACL, you must specify the OAI using its
Amazon S3 canonical user ID. This is the value of Amazon S3 canonical user ID on
the Origin access identities page in the CloudFront console. If you're using the
CloudFront API, use the value of the S3CanonicalUserId element that was returned
when you created the OAI, or call ListCloudFrontOriginAccessIdentities in the
CloudFront API.


GIVING AN ORIGIN ACCESS IDENTITY PERMISSION TO READ FILES IN THE AMAZON S3
BUCKET

When you create an OAI or add one to a distribution with the CloudFront console,
you can automatically update the Amazon S3 bucket policy to give the OAI
permission to access your bucket. Alternatively, you can choose to manually
create or update the bucket policy. Whichever method you use, you should still
review the permissions to make sure that:

 * Your CloudFront OAI can access files in the bucket on behalf of viewers who
   are requesting them through CloudFront.

 * Viewers can't use Amazon S3 URLs to access your files outside of CloudFront.

IMPORTANT

If you configure CloudFront to accept and forward all of the HTTP methods that
CloudFront supports, make sure you give your CloudFront OAI the desired
permissions. For example, if you configure CloudFront to accept and forward
requests that use the DELETE method, configure your bucket policy to handle
DELETE requests appropriately so viewers can delete only files that you want
them to.

USING AMAZON S3 BUCKET POLICIES

You can give a CloudFront OAI access to files in an Amazon S3 bucket by creating
or updating the bucket policy in the following ways:

 * Using the Amazon S3 bucket's Permissions tab in the Amazon S3 console.

 * Using PutBucketPolicy in the Amazon S3 API.

 * Using the CloudFront console. When you add an OAI to your origin settings in
   the CloudFront console, you can choose Yes, update the bucket policy to tell
   CloudFront to update the bucket policy on your behalf.

If you update the bucket policy manually, make sure that you:

 * Specify the correct OAI as the Principal in the policy.

 * Give the OAI the permissions it needs to access objects on behalf of viewers.

For more information, see the following sections.

SPECIFY AN OAI AS THE PRINCIPAL IN A BUCKET POLICY

To specify an OAI as the Principal in an Amazon S3 bucket policy, use the OAI's
Amazon Resource Name (ARN), which includes the OAI's ID. For example:

"Principal": {
    "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
}

To find the OAI's ID, see the Origin access identities page in the CloudFront
console, or use ListCloudFrontOriginAccessIdentities in the CloudFront API.

GIVE PERMISSIONS TO AN OAI

To give the OAI the permissions to access objects in your Amazon S3 bucket, use
actions in the policy that relate to specific Amazon S3 API operations. For
example, the s3:GetObject action allows the OAI to read objects in the bucket.
For more information, see the examples in the following section, or see Amazon
S3 actions in the Amazon Simple Storage Service User Guide.

AMAZON S3 BUCKET POLICY EXAMPLES

The following examples show Amazon S3 bucket policies that allow CloudFront OAI
to access an S3 bucket.

To find the OAI's ID, see the Origin access identities page in the CloudFront
console, or use ListCloudFrontOriginAccessIdentities in the CloudFront API.

EXAMPLE AMAZON S3 BUCKET POLICY THAT GIVES THE OAI READ ACCESS

The following example allows the OAI to read objects in the specified bucket
(s3:GetObject).

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<S3 bucket name>/*"
        }
    ]
}

EXAMPLE AMAZON S3 BUCKET POLICY THAT GIVES THE OAI READ AND WRITE ACCESS

The following example allows the OAI to read and write objects in the specified
bucket (s3:GetObject and s3:PutObject). This allows viewers to upload files to
your Amazon S3 bucket through CloudFront.

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<S3 bucket name>/*"
        }
    ]
}

USING AMAZON S3 OBJECT ACLS (NOT RECOMMENDED)

IMPORTANT

We recommend using Amazon S3 bucket policies to give an OAI access to an S3
bucket. You can use ACLs as described in this section, but we don't recommend
it.

Amazon S3 recommends setting S3 Object Ownership to bucket owner enforced, which
means that ACLs are disabled for the bucket and the objects in it. When you
apply this setting for Object Ownership, you must use bucket policies to give
access to the OAI (see the previous section).

This following section is only for legacy use cases that require ACLs.

You can give a CloudFront OAI access to files in an Amazon S3 bucket by creating
or updating the file's ACL in the following ways:

 * Using the Amazon S3 object's Permissions tab in the Amazon S3 console.

 * Using PutObjectAcl in the Amazon S3 API.

When you grant access to an OAI using an ACL, you must specify the OAI using its
Amazon S3 canonical user ID. This is the value of Amazon S3 canonical user ID on
the Origin access identities page in the CloudFront console. If you're using the
CloudFront API, use the value of the S3CanonicalUserId element that was returned
when you created the OAI, or call ListCloudFrontOriginAccessIdentities in the
CloudFront API.

Newer Amazon S3 Regions require that you use Signature Version 4 for
authenticated requests. (For the signature versions supported in each Amazon S3
Region, see Amazon Simple Storage Service endpoints and quotas in the AWS
General Reference.) If you're using an origin access identity and if your bucket
is in one of the Regions that requires Signature Version 4, note the following:

 * DELETE, GET, HEAD, OPTIONS, and PATCH requests are supported without
   qualifications.

 * If you want to submit PUT requests to CloudFront to upload files to your
   Amazon S3 bucket, you must add an x-amz-content-sha256 header to the
   request.The header value must contain a SHA-256 hash of the body of the
   request. For more information, see the documentation about the
   x-amz-content-sha256 header on the Common Request Headers page in the Amazon
   Simple Storage Service API Reference.

 * POST requests are not supported.


USING AN ORIGIN ACCESS IDENTITY IN AMAZON S3 REGIONS THAT SUPPORT ONLY SIGNATURE
VERSION 4 AUTHENTICATION

Newer Amazon S3 Regions require that you use Signature Version 4 for
authenticated requests. (For the signature versions supported in each Amazon S3
Region, see Amazon Simple Storage Service endpoints and quotas in the AWS
General Reference.) If you're using an origin access identity and if your bucket
is in one of the Regions that requires Signature Version 4, note the following:

 * DELETE, GET, HEAD, OPTIONS, and PATCH requests are supported without
   qualifications.

 * If you want to submit PUT requests to CloudFront to upload files to your
   Amazon S3 bucket, you must add an x-amz-content-sha256 header to the
   request.The header value must contain a SHA-256 hash of the body of the
   request. For more information, see the documentation about the
   x-amz-content-sha256 header on the Common Request Headers page in the Amazon
   Simple Storage Service API Reference.

 * POST requests are not supported.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Restricting access to a MediaStore origin
Restricting access to Application Load Balancers
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Did this page help you?
Yes
No
Provide feedback
Next topic:Restricting access to Application Load Balancers
Previous topic:Restricting access to a MediaStore origin
Need help?
 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

--------------------------------------------------------------------------------

 * Creating a new origin access control
 * Migrating from origin access identity (OAI) to origin access control (OAC)
 * Advanced settings for origin access control
 * Using an origin access identity (legacy, not recommended)





DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Feedback