I am hosting a web application using AWS. The frontend client code is in an S3 bucket. A CloudFront distribution points to the S3 bucket. A Route53 DNS record points to the CloudFront distribution.
The backend server code runs on ECS. I want to lock down the ECS service to only accept requests from the S3 bucket. The security group ingress rule only allows specifying a CIDR block for IP addresses, but I only see hostnames in S3, CloudFront, and Route53.
Is this possible to do?
the backend server code runs on ECS. I want to lock down the ECS service to only accept requests from the S3 bucket.
People in the comments are right, I will try to explain.
In this setup you usually have a static part (hosted on S3) and the backend services - implemented on ECS in your case. The requests to the ECS services are coming from the client's browser, not from S3.
Therefore if the application is intended for public internet, you have no real means to "lock down" the services only for the application. You could restrict the network access if you have some subnet range, e.g. for your home, school, company, ..
What is often done is letting the services returning CORS headers, e.g.:
access-control-allow-methods: OPTIONS,POST
access-control-allow-origin: https://mysite.example.com
Depends why you are asking for it and what do you want to achieve.
That enforces the users browsers to accept the response only when using the specific site to send a request (preventing cross-site request). However there are no means to prevent/limits requests not coming from the browser, such as bots or malicious actors.
If it's an application requiring authentication, then you could use a presigned cookie to allow only authenticated users.