S3 static website with CloudFront restricted to specific IP range using custom header
I would like to deploy to a website to a S3 bucket and use static website hosting. However, I have some strict security restrictions:
- HTTPS must be used
- Access to the website must be restricted to a specific IP range
Here is my plan:
- Use AWS WAF to restrict the IPs that can access the website
- Use CloudFront to leverage HTTPS
- Format the CloudFront distribution to forward a custom header that will act like an access key to S3
- Restrict the S3 bucket security policy to only allow traffic that includes the custom header from CloudFront mentioned above.
Here is a diagram:
I have one big concern though: Is forwarding a custom header between CloudFront really the best way to do this? AWS docs say that an Origin Access Identity can't be used for S3 buckets that act as a website (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html). The custom header seems less secure than an Origin Access Identity and much harder to maintain. It makes me uncomfortable using a random string as the only security preventing someone from bypassing my CloudFront distribution and directly accessing the S3 bucket. If a malicious party guesses the
My other option here is to just bite the bullet and move to servers where I have more control over a lot of the security but I would like to leverage the convenience of an S3 website.
You should remove the website configuration from your S3 bucket and use Origin Access Identity. The rest of your setup is fine.
You don't need to configure your S3 bucket as a website endpoint because you are not going to serve your content directly via S3. With the Origin Access Identity, your bucket will be available only from CloudFront (unless you add something else in the bucket policy) and this is what you want.
- HTTP requests not working on aws ec2
- Amazon EC2 and EBS disk space problem
- How do I enable Data API?
- CDK Pipelines - Migrating a database in the pipeline
- Do environment variables in ECS Fargate task definitions support interpolation?
- Upgrading AWS RDS aurora from serverless v1 to serverless v2 using terraform
- AWS IAM user not able to see Billing and Cost Management Dashboard
- Amazon S3 - How to fix 'The request signature we calculated does not match the signature' error?
- Deleting last element in a DynamoDB string set
- AWS CLI on Windows won't work though using double quotes and escapes
- How to resolve 'Step Functions State Machine is not authorized to create managed-rule'?
- Understanding SQS message receive amount
- AWS Glue JDBC Connection created using Cloud Formation is not setting the password
- CloudFront charges after you invalidate your distribution over 1,000 times, does the count reset each month?
- AWS Cognito federated user login not allowing to sign in as different user after log out
- AWS s3 V3 Javascript SDK stream file from bucket (GetObjectCommand)
- Provide AWS Lex response in Hyperlink format
- Fixing yaml indentation with python
- Generate S3 URL in "path-style" format
- Trying to find the ARN pattern for AWS WAF regional
- AWS cognito: What's the difference between Access and Identity tokens?
- virtually isolate the network in the same AWS Cloud Account
- AWS start sandbox from tutorial
- Can I stop a spot instance in aws just like I can stop and start an on demand ec2 instance
- FastAPI app works locally, but /blogs endpoint causes redirect loop on AWS Lambda deployment
- Get pdftotext Python module running on Lambda
- Kubernetes: how to set VolumeMount user group and file permissions
- Invalid arn error for terraform code with kms data resource
- Unable to import module 'src.main': No module named 'dependencies' when uploading FastAPI zipped project to AWS Lambda
- Unable to update AWS AppRunner VPC connector via CDK