Publish S3 bucket through CloudFront and OAI
Here I’m going to explain how to serve s3 bucket through cloudfront distribution and also allow users to access the s3 bucket using only via cloudfront using origin access identity.
So this user browser request s3 bucket content. Then the request go through the coudfront distribution. and CF will reach out to the s3 bucket and get the content ,cache it and then serve it to the user.
Implementation steps :
First go to aws console and create s3 bucket. when you create a bucket, you need to remove check of the Block all public access check box. Because we are not going to block anonymous access to the bucket. Now anyone can view the bucket.
After that go inside to the bucket and upload your flies. Now let’s try to view our files by using the endpoint of the uploaded files.
We got an forbidden error now. The reason is we haven’t yet added the permission to view the content in our s3 bucket. In order to do that we have to add bucket policy.
To add bucket policy, go to permission tab -> bucket policy
So the bucket policy is in the format of JSON. There is a link as policy example in the top of the poly tab. You can refer it to add policies to the bucket. here I added principle for anybody/ any anonymous user (*) and effect of allowing with s3 GetObject action. s3:GetObject means getting our resources inside the bucket and send it to the browser. Then it will render our files in the browser. Here as the resource you have to enter your bucket ARN. It will display in top of the JSON policy . Now save the policy.
Now we will able to see the files inside our s3 bucket using the browser.
That means s3 bucket is available for all users in the world. But the best practice is to use cloudfront distribution to serve our files. We are not going to direct user’s requests directly to the s3 bucket.
A one reason to use this cloudfront distribution is caching the content in cloudfront level. Here sometimes CF serve the content without going to the s3 bucket. Because it caches the content in s3 bucket.
To implement this we need to create a cloudfront distribution in our aws console.
Services -> CloudFront -> Create Distribution -> Get Started
So, our origin here is s3 bucket and we can leave other configurations as it is and then create the distribution. It will take like 10 minutes to deploy the distribution. After the deployment done we can use the particular domain of the distribution to access our s3 bucket files.
Perfect !
As per the diagram we have implemented the full setup. But there is a issue. That is we can access our content through cloudfront as well as the s3 bucket url. But our intention is to access our content via cloudfront only. we have to restrict the access of s3 bucket directly.
We do this using origin access identity (OOAI). OOAI is basically a cloudfront user. So our cloudfront we create a user and we allow to access the s3 bucket to this cloudfront user only. So, any anonymous which directly come to the s3 bucket will be dropped and allow requests coming from the cloudfront only
To create OOAI , go to the CloudFront -> origin Access Identity (in the left panel below the Security) -> create origin Access Identity.
So now we can edit our s3 bucket permission to only allow this user to access the bucket. So we can do this easily through cloudfront. What we have to do is select our cloudfront distribution and go to the origins and origin group. select the s3 origin and click edit.
Here as the Origin Domain Name we have already added our s3 bucket. If not you can add it now. and then click yes for the Restrict Bucket Access. Then it will ask the Origin Access Identity. Since we have already created the identity we can use an Existing Identity and select our identity in the drop down. And then for the Grant Read Permissions on Bucket, click Yes, Update Bucket Policy. So this is the shortcut to update the bucket policy. Then finally click Yes, Edit.
Now we can check whether our bucket policy has been updated or not. when go to our bucket policy tab now, we can see that there is a another statement in our bucket policy. when we check the principle of that statement we can see that, it has been updated with our access identity. So we can remove our previous statement to access the for all users and keep new statement.
Lets check our s3 bucket accessibility from the web browser.
Now it is forbidden and when we tried to access via cloudfront content will render !
