Reputation: 602
Amazon S3 access from Cloudfront through HTTP
- I have a S3 bucket, serving as static website.
- I have a cloudfront distribution, pointed towards HTTP endpoint of the bucket.
- I want to limit access to my S3 bucket to only Cloudfront.
I guess I can do this by adding Principal: arn:iam:cloudfront ....
But this allows direct S3 access, not HTTP Endpoint access.
When I configure Cloudfront to serve S3 bucket directly, it doesn't show subdirectory index.htmls. In order to reach mysite.com/blog/, I have to type mysite.com/blog/index.html
For this reason, I have to use HTTP endpoint of the S3 as if the site is not on S3 but on an Apache server.
Now I can't restrict access via arn:iam:cloudfront. Because Cloudfront becomes yet another web crawler, S3 becomes yet another web server.
They suggest adding custom headers so that the server understands it's the cloudfront. But S3 doesn't support custom headers.
Restricting user agent to CloudFront and Principal to AWS: * does a brief work but it doesn't stop UserAgent spoofing.
How can I solve this problem?
Upvotes: 3
Views: 1594
Answers (2)
Reputation: 179414
Don't configure the origin as S3 at all -- configure it as a Custom origin and then use the bucket's website endpoint hostname as the origin server hostname.
At that point, you should be able to configure an Origin Custom Header that CloudFront will send to the origin -- which happens to be the bucket's web site endpoint.
User-Agent is not on the list of custom headers that CloudFront won't forward, so you should be able to send a custom user agent string -- acting somewhat like a static password -- in the requests from CloudFront to S3, and configure your bucket to only allow that custom user agent.
It could still theoretically be spoofed, but since it's a random string that you made up, nobody knows that value except you, S3, and CloudFront, and it would be very tricky for someone to spoof an unknown value, particularly since S3 simply denies access, without explanation.
Upvotes: 3
Reputation: 46879
Have you tried this method?
To ensure that your users access your objects using only CloudFront URLs, regardless of whether the URLs are signed, perform the following tasks:
Create an origin access identity, which is a special CloudFront user, and associate the origin access identity with your distribution. (For web distributions, you associate the origin access identity with origins, so you can secure all or just some of your Amazon S3 content.) You can also create an origin access identity and add it to your distribution when you create the distribution.
Change the permissions either on your Amazon S3 bucket or on the objects in your bucket so only the origin access identity has read permission (or read and download permission). When your users access your Amazon S3 objects through CloudFront, the CloudFront origin access identity gets the objects on your users' behalf. If your users request objects directly by using Amazon S3 URLs, they're denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don't.
Upvotes: 1
Related Questions
- What is the difference between Amazon SNS and Amazon SQS?
- CORS Access-Control-* headers dropped from AWS Cloudfront Signed URL serving S3 bucket data on a custom domain
- How do you set a default root object for subdirectories for a statically hosted website on Cloudfront?
- Add content-type for specific file types in Amazon CloudFront?
- CloudFront distribution and AWS issued certificate gives SSL_ERROR_NO_CYPHER_OVERLAP
- Adding HTTP Security Headers Using Lambda@Edge and Amazon CloudFront for All routes (error routes)
- AWS Cloudfront to EC2 with mixed PHP and static content
- Serving gzipped CSS and JavaScript from Amazon CloudFront via S3