Using Origin Access Control (OAC) to Secure S3 Object Access to CloudFront

OAC vs. OAI (Legacy): Key Improvements

For many years, Origin Access Identity (OAI) was the standard method for this task. OAC is a significant improvement and should be used for all new CloudFront distributions.

| Feature | OAI (Legacy) | OAC (Recommended) |

| :--- | :--- | :--- |

| Encryption Support | Only works with objects encrypted with SSE-S3. | Supports all S3 server-side encryption, including SSE-KMS. |

| HTTP Methods | Only supports GET and HEAD requests. | Supports dynamic requests: GET, HEAD, POST, PUT, DELETE, PATCH, OPTIONS. |

| Security Model | Uses a special, long-lived CloudFront principal. | Uses a stronger security model with short-term credentials and frequent credential rotation, offering better protection against "confused deputy" attacks. |

| Regional Support| Had limitations with some newer AWS Regions. | Fully supports all AWS Regions, including those that require SigV4. |

Bottom Line: Always use OAC for new projects. Migrate existing distributions from OAI to OAC to take advantage of the enhanced security and features.

How to Configure OAC: A Step-by-Step Guide

Setting up OAC is a two-part process that involves configuring both your CloudFront distribution and your S3 bucket.

Part 1: Configure the CloudFront Distribution

1. Navigate to your CloudFront distribution and select the Origins tab.

2. Select your S3 origin and click Edit.

3. Under the Origin access section, select Origin access control settings (recommended).

4. Click Create control setting. You only need to give it a name (e.g., OAC-for-MyWebApp). CloudFront handles the rest.

5. After creating the OAC, CloudFront will display a message with a suggested S3 bucket policy. Click the Copy policy button.

6. Save the changes to your CloudFront origin.

Part 2: Apply the S3 Bucket Policy

1. Navigate to the Amazon S3 console and select the bucket you are using as your origin.

2. Go to the Permissions tab.

3. In the Bucket policy section, click Edit.

4. Delete any existing policy statements related to the old OAI or public access.

5. Paste the policy you copied from the CloudFront console.

6. Save the policy. CloudFront will now have exclusive access to your bucket.

The OAC Bucket Policy Explained

The policy that CloudFront generates is the key to how OAC works. It grants the CloudFront service principal permission to get objects from your bucket, but only on behalf of your specific distribution.

Example Bucket Policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "AllowCloudFrontServicePrincipal",

            "Effect": "Allow",

            "Principal": {

                "Service": "cloudfront.amazonaws.com"

            },

            "Action": "s3:GetObject",

            "Resource": "arn:aws:s3:::your-bucket-name/*",

            "Condition": {

                "StringEquals": {

                    "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/E123ABCDEF456G"

                }

            }

        }

    ]

}