Using Origin Access Identity (OAI) or Origin Access Control (OAC)

If your S3 bucket is not configured as a website endpoint and you are using it as an S3 origin in your CloudFront distribution, you can use Origin Access Identity (OAI) or Origin Access Control (OAC) to restrict access to the bucket.

OAI and OAC are two ways to send authenticated requests from CloudFront to an Amazon S3 origin. Both methods allow you to restrict access to your S3 bucket so that only your CloudFront distribution can access it.

OAC is a newer feature that improves upon OAI by providing stronger security and deeper feature integrations. OAC provides a stronger security posture with short-term credentials and more frequent credential rotations compared to OAI. With OAC, you can create granular policy configurations through resource-based policies, which provides better protection against confused deputy attacks. OAC also supports all Amazon S3 buckets in all AWS Regions, including opt-in Regions launched after December 2022, Amazon S3 server-side encryption with AWS KMS (SSE-KMS), and dynamic requests (PUT and DELETE) to Amazon S3.

To use OAI or OAC, you need to create an OAI or OAC in the CloudFront console and associate it with your CloudFront distribution. You can then update your S3 bucket policy to allow access only to the OAI or OAC.

Using Custom Headers

If your S3 bucket is configured as a website endpoint and you are using it as a custom origin in your CloudFront distribution, you cannot use OAI or OAC to restrict access to the bucket. However, you can still restrict access to the bucket by setting up custom headers and configuring the origin to require them.

One way to do this is by using a secret custom header that only CloudFront and your S3 bucket know. You can configure your CloudFront distribution to include the secret custom header in its requests to the bucket and update your S3 bucket policy to allow access only when the request includes the secret custom header with the correct value.

This will restrict access to your S3 bucket so that only requests that include the secret custom header can access it. Since only your CloudFront distribution is configured to include this header in its requests to the bucket, only your CloudFront distribution will be able to access it.

Why Use the S3 Website Endpoint

AWS recommends using the S3 website endpoint rather than the bucket endpoint when using a CloudFront distribution as a website because the S3 website endpoint provides additional features that are useful for serving websites. These features include index document support, error document support, and redirection rules.

These features are only available when you use the S3 website endpoint. If you use the bucket endpoint, these features will not be available and you will need to implement them yourself in your application or web server.

Conclusion

In conclusion, there are several ways to restrict access to an Amazon S3 bucket with a static website using Amazon CloudFront. Depending on how you have configured your CloudFront distribution and S3 bucket, you can use Origin Access Identity (OAI), Origin Access Control (OAC), or custom headers to restrict access. Additionally, AWS recommends using the S3 website endpoint when using a CloudFront distribution as a website because it provides additional features that are useful for serving websites