amazon-web-servicesamazon-s3amazon-cloudfrontamazon-route53aws-certificate-manager

Is it possible to hide an AWS S3 Bucket Website Endpoint that is served by a cloud front distribution?


Background:

What I've done:

  1. create an s3 bucket that enables static web page hosting
  1. created and registered a domain

  2. got an ssl certificate from ACM, creatied the relevant CNAME records.

  3. Created the cloud front distribution with origin as the website endpoint, and recognizing all domains that have CNAMEs in the hosted zone for the domain/acm cert.

The problem:

The S3 bucket website endpoint is still accessible (and unsecured). I would like to only have the registered domain (and cloud front url, if necessary) accessible - I'm trying to remove the s3 bucket website endpoint for public access in browsers.

# What I've tried:

  1. Limiting bucket policy to only allow cloud front access
  2. Creating OAC (origin access control) but do not seem to have that option in origin settings when using the s3 endpoint
  3. Recreating the distribution to try and use OAC but I could not include the s3 bucket endpoint in the ACM cert for rerouting / any CNAME stuff. (ik ik, but had to try)

# Current Thoughts:

  1. I have hit a wall for the time being.

this is my first post so sorry about any formatting issues.


Solution

  • Yes, you can hide/disable the S3 Website Endpoint and use a private bucket as the origin for CloudFront Distribution.

    enter image description here

    Your thought process is correct.

    1. You need an S3 bucket with a bucket policy allowing the CloudFront Origin Access Identity (OAI) to be used to restrict access to the bucket
    2. SSL certs will live in the CloudFront Distribution

    To make sure everything is working, we can go back to the beginning:

    1. Create a s3 bucket and make it private (no public access)
    2. Create a cloudfront distribution
    3. Create the cloudfront OAI
    4. Allow the OAI to access the bucket (update the bucket policy)
    5. Using the cloudfront distribution URL verify you can access the assets in the bucket
    6. Add the SSL/Custom Domain name to CloudFront

    Here are some step-by-step tutorials about how to do it:

    If you are using infrastructure-as-code via CDK, I have a construct example:

    You can extend it and add your custom domain/SSL as needed.