Ensure that the origin access identity feature is enabled for all your AWS Cloudfront CDN distributions that utilize an S3 bucket as an origin in order to restrict any direct access to your objects through Amazon S3 URLs.
When your Amazon Cloudfront CDN distributions are using AWS S3 as an origin, the distributions content should be kept private and delivered only via Cloudfront network, using an origin access identity to regulate access. With origin access identity enabled, your Amazon Cloudfront distributions can be much more cost effective if your users access your objects frequently as the price for CloudFront data transfer is lower than the price for S3 data transfer. In addition, downloads are faster when only the CloudFront service is used to deliver your application objects instead of S3 because the objects are copied to all edge locations within the distribution in order to be stored closer to your users.
To determine if origin access identity is enabled for your Cloudfront distributions configured with S3 as origin, perform the following:
Remediation / Resolution
To enable origin access identity for your Cloudfront CDN distribution and restrict the user access to the S3 bucket used as origin, perform the following:
- AWS Documentation
- Amazon CloudFront FAQs
- Using CloudFront with Amazon S3
- Using Amazon S3 Origins and Custom Origins for Web Distributions
- Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Origin Access Identity for CloudFront Distributions with S3 Origin
Risk level: Medium