Is it possible to hide an AWS S3 Bucket Website Endpoint that is served by a cloud front distribution?
Background:
What I've done:
- create an s3 bucket that enables static web page hosting
- most files live inside the bucket via an AWS CodePipeline x GitHub pipeline.
- permissions allowed:
- only the bottom public access box is unticked (thus allowing it).
- Policy-wise: public read only access to the bucket, as well as read only access to cloud front distribution.
created and registered a domain
got an ssl certificate from ACM, creatied the relevant CNAME records.
Created the cloud front distribution with origin as the website endpoint, and recognizing all domains that have CNAMEs in the hosted zone for the domain/acm cert.
The problem:
The S3 bucket website endpoint is still accessible (and unsecured). I would like to only have the registered domain (and cloud front url, if necessary) accessible - I'm trying to remove the s3 bucket website endpoint for public access in browsers.
# What I've tried:
- Limiting bucket policy to only allow cloud front access
- Creating OAC (origin access control) but do not seem to have that option in origin settings when using the s3 endpoint
- Recreating the distribution to try and use OAC but I could not include the s3 bucket endpoint in the ACM cert for rerouting / any CNAME stuff. (ik ik, but had to try)
# Current Thoughts:
- I have hit a wall for the time being.
this is my first post so sorry about any formatting issues.
Yes, you can hide/disable the S3 Website Endpoint and use a private bucket as the origin for CloudFront Distribution.
Your thought process is correct.
- You need an S3 bucket with a bucket policy allowing the CloudFront Origin Access Identity (OAI) to be used to restrict access to the bucket
- SSL certs will live in the CloudFront Distribution
To make sure everything is working, we can go back to the beginning:
- Create a s3 bucket and make it private (no public access)
- Create a cloudfront distribution
- Create the cloudfront OAI
- Allow the OAI to access the bucket (update the bucket policy)
- Using the cloudfront distribution URL verify you can access the assets in the bucket
- Add the SSL/Custom Domain name to CloudFront
Here are some step-by-step tutorials about how to do it:
- https://medium.com/tensult/creating-aws-cloudfront-distribution-with-s3-origin-ee47b8122727
- https://www.stormit.cloud/blog/cloudfront-origin-access-identity/
- https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-s3-amazon-cloudfront-a-match-made-in-the-cloud/
- https://dinocloud.co/how-to-deploy-a-static-website-on-amazon-s3/
If you are using infrastructure-as-code via CDK, I have a construct example:
You can extend it and add your custom domain/SSL as needed.
- Upload via presigned request - 403 forbidden for Unicode Filename
- Best practices for developing scalable video transcoding server on Amazon Web Services?
- Enable compression for AWS SQS Java API or how to tell if it's already on?
- Getting no basic auth credential from AWS ECR when pulling image
- How to load npm modules in AWS Lambda?
- Amazon EFS vs S3: Which is better for appending small chunks of data to large files?
- Is there a way to delay DynamoDB stream emissions while nearly parallel data is upserted to a record?
- Push docker image to amazon ecs repository
- AWS SSM Agent - Using the aws cli, is there a way to list all the AWS instances that are missing the SSM agent?
- CloudFormation is not authorized to perform: iam:PassRole on resource
- S3 - Access-Control-Allow-Origin Header
- How to run AWS codeartifact login and keep default registry
- aws s3api restore-object permission error
- AWS Amplify Functions allow.resource() not working
- Is it possible to enrich a message on an sqs queue
- Does EKS Auto Mode use AWS Load Balancer Controller?
- kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
- AWS Elasticache -- How to flush node from console?
- How to parameterize prevent_destroy lifecycle configuration in Terraform?
- RDS instance start: which subnet/AZ is selected?
- Connection refused error (127.0.0.1:4566) for Localstack S3
- Problem with file directory link in amazon s3
- Can I use aws-advanced-jdbc-wrapper with MySQL?
- Creating Lambda Snapstart with Typescript CDK
- How to force SQL Server container to immediately update MDF file in Docker volume?
- AWS Cloudwatch agent config file removed after startup
- AWS lambda SQS does not allow to process 1 message per 1 invocation
- How can I create a TLS/SSL connection to a mongodb instance on AWS with a certificate made by certificate manager? Health check failed
- Cloudfront redirect when signed cookies not present
- AWS Lambda and DynamoDB - updatetItem is not a function