Understanding AWS Cloudfront’s origin access identifiers

I do not really understand the security behind AWS Cloudfront’s OAI. The only thing it does is switch the bucket’s domain.
Instead of accessing the bucket with https://s3.amazonaws.com/[Bucket]/* it just switches it with your domain.

But again anyone can browse that bucket/folder knowing the CF domain.

Am I missing something? I know you can add a lambda function at the viewer request side to limit access from a certain app. But how can I prevent users from just trying random URLs. And I don’t think its good practice to do authentication and to check if that user should have access to the resource on each request.

So what are good practices to restrict my users to only access the resources that they are allowed to view?

Answer

The purpose of Origin Access Identity is to prevent users from directly accessing the S3 Bucket. Instead they have to go through CloudFront; the origin S3 Bucket won’t permit access to anyone accessing it directly.

Some reasons for enforcing access through CloudFront:

  • Caching at the edge (transfer from CloudFront is cheaper than from S3, and it’s also closer to the user)
  • Authentication through Lambda at the edge
  • WAF enforcement

If you want to restrict access to individual objects within your bucket you should consider using Signed URLs – for example when the user logs in to your website you’ll provide his documents through a pre-signed URLs, perhaps with some expiration limit.

The best practice is to have a separate bucket for public objects (e.g. website assets – images, css, html) and a different one for private objects that need authentication (e.g. customers’ documents).

See here for S3 Pre-signed URL example

Update:

You can also use Lambda at the edge for authentication as described here: Use Lambda@Edge to Enhance Web Application Security

Which one to use depends on your usecase. The Pre-signed URL are shareable and can be time-limited, Lambda@Edge authenticated URLs won’t be shareable and will require the user to login. Depends on what you need.

Hope that helps 🙂

Attribution
Source : Link , Question Author : Zaid Amir , Answer Author : MLu

Leave a Comment