Amazon CloudFront is a highly secure and scalable content delivery network (CDN) that improves the distribution of content to users with low latency and high transfer speeds. CloudFront offers two key features to enhance security when serving content from Amazon S3 buckets: Origin Access Identity (OAI) and Origin Access Control (OAC). In this blog, we’ll explore these features, their purpose, and how to configure them using Terraform. We’ll also discuss their advantages and disadvantages to help you decide which is suitable for your use case.
Target Audience
This blog is intended for cloud architects, DevOps engineers, and developers who are familiar with AWS and want to improve their understanding of secure content delivery using CloudFront and S3.
Key Concepts to Explain
What is OAI?
Origin Access Identity (OAI) is a special CloudFront user identity that ensures CloudFront can fetch objects securely from an S3 bucket without exposing them to the public.
What is OAC?
Origin Access Control (OAC) is an advanced feature providing fine-grained control over access permissions between CloudFront and S3. It builds on the benefits of OAI while offering additional flexibility and management improvements.
Terraform Configuration Examples
[ Good Read: Become a Data Engineer ]
Configuring OAI in Terraform
Here’s how you can configure an OAI to secure your S3 bucket:
1. Define the S3 Bucket
resource "aws_s3_bucket" "example" {
bucket = "example-bucket"
}
Here, we define an Amazon S3 bucket using Terraform. The bucket is named example-bucket. This will be the origin for our CloudFront distribution.
2. Create an OAI
resource "aws_cloudfront_origin_access_identity" "example" {
comment = "Access identity for CloudFront"
}
This block creates an Origin Access Identity (OAI) for CloudFront. The OAI acts as a virtual user that CloudFront uses to securely access the S3 bucket.
Why OAI? Without an OAI, your S3 bucket would need to allow public access for CloudFront to fetch objects. By using an OAI, you can block public access to your bucket while allowing CloudFront to serve content.
3. Attach a Bucket Policy to Allow OAI Access
resource "aws_s3_bucket_policy" "example" {
bucket = aws_s3_bucket.example.id
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
AWS = aws_cloudfront_origin_access_identity.example.iam_arn
}
Action = "s3:GetObject"
Resource = "${aws_s3_bucket.example.arn}/*"
}
]
})
}
This step is critical for securing the S3 bucket.
Bucket Policy: The policy grants the OAI permission to read objects (s3:GetObject) from the bucket.
Principal: Specifies the OAI as the entity allowed to access the bucket.
Resource: Applies the
You can check more info about: OAI and OAC in AWS CloudFront.
Top comments (0)