01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration metadata from the Cloudfront distribution that you want to reconfigure (see Audit section part II to identify the right resource). The following command returns the configuration details of an AWS Cloudfront CDN distribution identified by the ID E7GGTQ8UCFC4G:
aws cloudfront get-distribution-config
--id E7GGTQ8UCFC4G
02 The command output should return the selected distribution metadata:
{
"ETag": "E1VEIGDP0YISPR",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": true,
"Origins": {
"Items": [
{
"S3OriginConfig": {
"OriginAccessIdentity": ""
},
"OriginPath": "/static",
"CustomHeaders": {
"Quantity": 0
},
"Id": "S3-cloudconformity-web-assets",
"DomainName": "cloudconformity-web-assets..."
}
],
"Quantity": 1
},
...
"CallerReference": "1495036941163",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "SSLv3",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Quantity": 0
}
}
}
03 Modify the configuration information returned at the previous step to enable origin access identity for the S3 bucket used as origin by providing a unique identifier/comment for the OriginAccessIdentity attribute, e.g. "OriginAccessIdentity": "access-identity-cloudconformity-web-assets.s3.amazonaws.com", then save the new configuration in a JSON document named cloudfront-distconfig-enable-oai.json:
{
"ETag": "E1VEIGDP0YISPR",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": true,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
"WebACLId": "",
"Origins": {
"Items": [
{
"S3OriginConfig": {
"OriginAccessIdentity": "access-identity-cloudconformity-web-assets.s3.amazonaws.com"
},
"OriginPath": "",
"CustomHeaders": {
"Quantity": 0
},
"Id": "S3-cloudconformity-web-assets",
"DomainName": "cloudconformity-web-assets.s3.amazonaws.com"
}
],
"Quantity": 1
},
"DefaultRootObject": "",
"PriceClass": "PriceClass_All",
"Enabled": true,
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"LambdaFunctionAssociations": {
"Quantity": 0
},
"TargetOriginId": "S3-cloudconformity-web-assets",
"ViewerProtocolPolicy": "allow-all",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryStringCacheKeys": {
"Quantity": 0
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET"
],
"Quantity": 2
},
"Quantity": 2
},
"MinTTL": 0,
"Compress": false
},
"CallerReference": "1495036941163",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "SSLv3",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Quantity": 0
}
}
}
04 Run update-distribution command (OSX/Linux/UNIX) to update your AWS Cloudfront distribution in order to enable origin access identity and restrict user access to the S3 bucket used as distribution origin. The following command example updates an AWS CloudFront CDN web distribution with the ID E7GGTQ8UCFC4G and the ETag E1VEIGDP0YISPR (an ETag is a header ID exposed when a CDN distribution configuration is retrieved), using the JSON configuration document named cloudfront-distconfig-enable-oai.json, created at the previous step:
aws cloudfront update-distribution
--id E7GGTQ8UCFC4G
--distribution-config file://cloudfront-distconfig-enable-oai.json
--if-match E1VEIGDP0YISPR
05 The command output should return the configuration metadata for the updated Cloudfront CDN distribution:
{
"Distribution": {
"Status": "InProgress",
"InProgressInvalidationBatches": 0,
"DistributionConfig": {
"CacheBehaviors": {
"Quantity": 0
},
"WebACLId": "",
"Origins": {
"Items": [
{
"S3OriginConfig": {
"OriginAccessIdentity": "access-identity-cloudconformity-web-assets.s3.amazonaws.com"
},
"OriginPath": "",
"CustomHeaders": {
"Quantity": 0
},
"Id": "S3-cloudconformity-web-assets",
"DomainName": "cloudconformity-web-assets.s3.amazonaws.com"
}
],
"Quantity": 1
},
...
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "SSLv3",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Quantity": 0
}
},
"LastModifiedTime": "2017-05-17T11:15:33.873Z",
"Id": "E7GGTQ8UCFC4G"
},
"ETag": "E1VEIGDP0YISPR"
}
06 Repeat steps no. 1 – 5 to enable origin access identity for other Cloudfront CDN distributions available in your account using AWS CLI.
p>