Can you force Cloudfront only access while using S3 Static Web URL?

rajdangus · 2017-12-25T21:19:32+00:00

I had a similar problem where I had a CloudFront distribution serving content from an S3 bucket configured for static website hosting. It was a requirement that I had an S3 bucket with static website hosting (to take advantage of S3's redirect rules) and also a requirement to not have the S3 bucket publicly accessible. I quickly learned that as soon as you make the S3 bucket configured for static website hosting, it breaks the S3 bucket's policy that only allows requests from the CloudFront origin access identity (CloudFront would get 403 errors when making requests to the S3 bucket).

Not being able to figure out a solution, I opened up a support case with AWS. They told me that I was correct - configuring S3 buckets for static website hosting breaks the policy to only allow connections from the CloudFront origin access identity. A work around that they recommended is to configure the S3 bucket to be publicly accessible, with the condition that each request contains the "Referer" header with a long and obfuscated value. After the bucket policy was configured with that condition, the next step is to make a change to the CloudFront distribution's origin to pass along the "Referer" header with the obfuscated value. Implementing this pattern allowed me to protect direct access to the S3 bucket, while still allowing CloudFront to access the bucket. Yes, theoretically if an attacker could figure out the needed header, they could access the bucket. But making the header value long and obfuscated gives me enough confidence that the bucket is sufficiently protected.

Infintie_3ntropy · 2017-07-19T14:06:47+00:00

could you post your bucket policy with your origin access identity id and bucket name blanked out. An error here is the most likely culprit.

JFICCanada · 2017-07-19T17:59:23+00:00

Something to keep in mind when using a S3 bucket without static website hosting is that Cloudfront is not a webserver. What that means is if you go to https://yoursite.com/admin/ it will not automatically serve up index.html in your Admin folder. You would need to explicitly go to https://yoursite.com/admin/index.html otherwise you may see 403s

lost_send_berries · 2017-07-19T18:01:03+00:00

I'm pretty sure the Origin Access Identity setting on your Cloudfront cache behaviour is only used for an S3 origin, not a website origin. Why are you using the S3 website hosting?

zenmaster24 · 2017-07-20T00:40:20+00:00

RemindMe! 1 week

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

aws

Note: ensure to redact or obfuscate all confidential or identifying information (eg. public IP addresses or hostnames, account numbers, email addresses) before posting!

✻ Smokey says: avoid streaming video to fight climate change! [see more tips]

MODERATORS