I have seen guides for allowing aws users to make a bucket private but serve some of its objects through cloudfront. I have been trying to do the same with an entire static site hosted in an s3 bucket, and nothing seems to be working. But I can't find anything explicitly telling me it's not possible.
Is it possible to use the S3 static website hosting feature in a private bucket? Could users only access the site via the cloudfront distribution, but not by going to the s3 bucket URL's proper?
First of all, OAI does not work when you use the S3 static website feature.
The best way to do what you want is to add a custom header in cloudfront. Generate a complex and long string like it was a password and pass it in the referer header.
Then add a bucket policy that lets everybody (principal: "*") to perform a getobject but at the condition that a specific header is specified.
Example of a bucket policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Allow get requests originating from your Cloudfront distribution.",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::YOUR_BUCKET_NAME/*",
"Condition":{
"StringLike":{"aws:Referer": "9vzeMAVjTKCWXjbBNFsCnNRsPKqMYk6achgLXu5S"}
}
}
]
}
Don't forget to disable the S3 public access block feature on your bucket.
You can find a more complete guide there: https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/?nc1=h_ls