Enable Origin Access Identity for CloudFront Distributions with S3 Origin

Risk level: Medium (should be achieved)

Ensure that the origin access identity feature is enabled for all your AWS Cloudfront CDN distributions that utilize an S3 bucket as an origin in order to restrict any direct access to your objects through Amazon S3 URLs.

Security

When your Amazon Cloudfront CDN distributions are using AWS S3 as an origin, the distributions content should be kept private and delivered only via Cloudfront network, using an origin access identity to regulate access. With origin access identity enabled, your Amazon Cloudfront distributions can be much more cost effective if your users access your objects frequently as the price for CloudFront data transfer is lower than the price for S3 data transfer. In addition, downloads are faster when only the CloudFront service is used to deliver your application objects instead of S3 because the objects are copied to all edge locations within the distribution in order to be stored closer to your users.

Audit

To determine if origin access identity is enabled for your Cloudfront distributions configured with S3 as origin, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to examine.

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 On the Origins tab, select the entry that has the Origin Type set to S3 Origin, then click the Edit button.

06 On the Origin Settings page, verify the Restrict Bucket Access setting current status. If Restrict Bucket Access is set to No

the access to the S3 bucket used as origin is not restricted, therefore the selected AWS Cloudfront CDN distribution is using an S3 origin without an origin access identity.

07 Repeat step no. 5 and 6 for each origin created for the selected Cloudfront distribution.

08 Repeat steps no. 3 – 7 for each Cloudfront CDN distribution available within your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the IDs of all Cloudfront distributions available in your AWS account:

aws cloudfront list-distributions
	--output table
	--query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested distribution IDs, as shown in the example below:

---------------------
| ListDistributions |
+-------------------+
|   E7GGTQ8UCFC4G   |
|   G31A16G5KZMUX   |
|   D8E6G5KZMPDT0   |
+-------------------+

03 Run get-distribution-config command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier, returned at the previous step, to expose the name of the origin access identity set for each S3 origin entry associated with the selected AWS Cloudfront distribution:

aws cloudfront get-distribution-config
	--id E7GGTQ8UCFC4G
	--query 'DistributionConfig.Origins.Items[*].S3OriginConfig.OriginAccessIdentity'

04 The command output should return the name of the origin access identity set for each available S3 origin or an empty string if the there is no origin access identity currently set for the distribution origin(s):
If the get-distribution-config command output returns an empty string, i.e. "" (as shown in the example above), the selected Amazon Cloudfront CDN distribution is using an S3 origin without an origin access identity, therefore the access to the origin S3 bucket is not secured.

05 Repeat step no. 3 and 4 to examine other CDN distributions available within your AWS account.

Remediation / Resolution

To enable origin access identity for your Cloudfront CDN distribution and restrict the user access to the S3 bucket used as origin, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to reconfigure (see Audit section part I to identify the right Cloudfront resource).

04 Click the Distribution Settings button from the dashboard top menu to access the configuration page.

05 On the Origins tab, select the entry that has the Origin Type set to S3 Origin, then click the Edit button.

06 On the Origin Settings page, perform the following actions:

Select Yes next to the Restrict Bucket Access setting to enforce application users to always access your AWS S3 origin content using CloudFront URLs instead of S3 URLs.
Select Create a New Identity option next to Origin Access Identity to create the necessary origin access identity for the S3 origin.
In the Comment box, enter a unique comment that you can use later to identify the new origin access identity.
Select Yes, Update Bucket Policy for Grant Read Permissions on Bucket setting to automatically grant read permission to the new origin access identity associated with the distribution S3 origin. When AWS CloudFront updates the origin bucket policy, it does not remove existing permissions so if your application users have permission to access the objects in your origin S3 bucket using S3 URLs, you will need to remove the existing bucket permissions.
Click Yes, Edit to apply the configuration changes and enable origin access identity for the selected Cloudfront distribution.

07 Repeat step no. 5 and 6 to reconfigure other S3 origins associated with the selected Cloudfront distribution.

08 Repeat steps no. 3 – 7 to enable origin access identity for other Cloudfront CDN distributions provisioned in your AWS account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration metadata from the Cloudfront distribution that you want to reconfigure (see Audit section part II to identify the right resource). The following command returns the configuration details of an AWS Cloudfront CDN distribution identified by the ID E7GGTQ8UCFC4G:

aws cloudfront get-distribution-config
	--id E7GGTQ8UCFC4G

02 The command output should return the selected distribution metadata:

{
    "ETag": "E1VEIGDP0YISPR",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": true,
        "Origins": {
            "Items": [
                {
                    "S3OriginConfig": {
                        "OriginAccessIdentity": ""
                    },
                    "OriginPath": "/static",
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "S3-cloudconformity-web-assets",
                    "DomainName": "cloudconformity-web-assets..."
                }
            ],
            "Quantity": 1
        },

       ...

        "CallerReference": "1495036941163",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "SSLv3",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

03 Modify the configuration information returned at the previous step to enable origin access identity for the S3 bucket used as origin by providing a unique identifier/comment for the OriginAccessIdentity attribute, e.g. "OriginAccessIdentity": "access-identity-cloudconformity-web-assets.s3.amazonaws.com", then save the new configuration in a JSON document named cloudfront-distconfig-enable-oai.json:

{
    "ETag": "E1VEIGDP0YISPR",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": true,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },
        "WebACLId": "",
        "Origins": {
            "Items": [
                {
                    "S3OriginConfig": {
                        "OriginAccessIdentity": "access-identity-cloudconformity-web-assets.s3.amazonaws.com"
                    },
                    "OriginPath": "",
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "S3-cloudconformity-web-assets",
                    "DomainName": "cloudconformity-web-assets.s3.amazonaws.com"
                }
            ],
            "Quantity": 1
        },
        "DefaultRootObject": "",
        "PriceClass": "PriceClass_All",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "S3-cloudconformity-web-assets",
            "ViewerProtocolPolicy": "allow-all",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "GET"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 2
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "1495036941163",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "SSLv3",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

04 Run update-distribution command (OSX/Linux/UNIX) to update your AWS Cloudfront distribution in order to enable origin access identity and restrict user access to the S3 bucket used as distribution origin. The following command example updates an AWS CloudFront CDN web distribution with the ID E7GGTQ8UCFC4G and the ETag E1VEIGDP0YISPR (an ETag is a header ID exposed when a CDN distribution configuration is retrieved), using the JSON configuration document named cloudfront-distconfig-enable-oai.json, created at the previous step:

aws cloudfront update-distribution
	--id E7GGTQ8UCFC4G
	--distribution-config file://cloudfront-distconfig-enable-oai.json
	--if-match E1VEIGDP0YISPR

05 The command output should return the configuration metadata for the updated Cloudfront CDN distribution:

{
    "Distribution": {
        "Status": "InProgress",
        "InProgressInvalidationBatches": 0,
	    "DistributionConfig": {
	        "CacheBehaviors": {
	            "Quantity": 0
	        },
	        "WebACLId": "",
	        "Origins": {
	            "Items": [
	                {
	                    "S3OriginConfig": {
	                        "OriginAccessIdentity": "access-identity-cloudconformity-web-assets.s3.amazonaws.com"
	                    },
	                    "OriginPath": "",
	                    "CustomHeaders": {
	                        "Quantity": 0
	                    },
	                    "Id": "S3-cloudconformity-web-assets",
	                    "DomainName": "cloudconformity-web-assets.s3.amazonaws.com"
	                }
	            ],
	            "Quantity": 1
	        },

            ...

	        "ViewerCertificate": {
	            "CloudFrontDefaultCertificate": true,
	            "MinimumProtocolVersion": "SSLv3",
	            "CertificateSource": "cloudfront"
	        },
	        "CustomErrorResponses": {
	            "Quantity": 0
	        },
	        "HttpVersion": "http2",
	        "Restrictions": {
	            "GeoRestriction": {
	                "RestrictionType": "none",
	                "Quantity": 0
	            }
	        },
	        "Aliases": {
	            "Quantity": 0
	        }
         },
        "LastModifiedTime": "2017-05-17T11:15:33.873Z",
        "Id": "E7GGTQ8UCFC4G"
    },
    "ETag": "E1VEIGDP0YISPR"
}

06 Repeat steps no. 1 – 5 to enable origin access identity for other Cloudfront CDN distributions available in your account using AWS CLI.

References

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
get-distribution-config
update-distribution

Publication date May 7, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Origin Access Identity for CloudFront Distributions with S3 Origin

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules