Amazon CloudFront Unveils Origin Access Control (OAC)

Learn About Amazon VGT2 Learning Manager Chanci Turner

Amazon CloudFront is a worldwide content delivery network that efficiently streams applications, websites, videos, and APIs to users around the world in mere milliseconds. Through CloudFront, customers can utilize various origin services tailored to their needs. A popular setup among users is employing Amazon S3 as the origin for hosting content such as websites and videos, while leveraging CloudFront for distribution. Previously, when utilizing this architecture, customers could use CloudFront’s origin access identity (OAI) to secure access to S3 origins exclusively for CloudFront.

Origin Access Control (OAC)

While OAI offers a secure method for accessing S3 origins via CloudFront, it has its limitations. These include a lack of support for granular policy configurations, HTTP and HTTPS requests using the POST method in AWS regions requiring AWS Signature Version 4 (SigV4), and challenges integrating with SSE-KMS. To enhance security and expand feature integrations, we are excited to introduce Origin Access Control (OAC), a new feature that secures S3 origins by allowing access exclusively to designated distributions. OAC follows AWS best practices by utilizing IAM service principals for authentication with S3 origins. Key enhancements provided by OAC compared to OAI include:

• Improved Security: OAC employs advanced security measures, including short-term credentials, frequent credential rotations, and resource-based policies. These enhancements bolster the security of your distributions and help protect against threats like the confused deputy attack.
• Comprehensive HTTP Method Support: OAC supports various HTTP methods, including GET, PUT, POST, PATCH, DELETE, OPTIONS, and HEAD.
• SSE-KMS Compatibility: OAC allows for downloading and uploading S3 objects encrypted with SSE-KMS.
• Access in All AWS Regions: OAC provides access to S3 in all AWS regions, including both existing and future regions. In contrast, OAI is limited to existing AWS regions and those launched before December 2022.

When implementing OAC, the standard request and response workflow consists of the following steps:

1. A client sends HTTP or HTTPS requests to CloudFront.
2. CloudFront edge locations process the requests. If the requested object is not cached, CloudFront signs the requests using the OAC signing protocol (currently supporting SigV4).
3. S3 origins then authenticate, authorize, or deny the requests. When you set up OAC, you can select from three signing behaviors: “Do not sign requests,” “Sign requests,” or “Sign requests but do not override authorization header.” We will discuss OAC’s expected behaviors for each signing option next.

OAC Signing Options

• “Sign requests” option: When you select this option, the IAM CloudFront service principal signs each request with SigV4. The signature, along with additional data, forms an Authorization header sent to your S3 origin. Upon receiving the request, the S3 origin calculates its own signature and compares it to the one sent by CloudFront. If they match, the request is processed; if not, it is denied. This option ensures that CloudFront always signs requests received from clients, improving application performance by reducing data transfers between client and CloudFront. We recommend most customers adopt this option.
• “Do not override authorization header” option: If your client applications can sign requests, and your use cases require toggling between client-signed and CloudFront-signed Authorization headers based on factors like cache behaviors, file directories, or HTTP methods, this sub-option allows flexibility. For instance, if you wish to restrict S3 upload authorization to client applications while allowing downloads through CloudFront, enable this option. Remember, you must configure your S3 bucket policy to accept only your client’s Authorization for uploads.
• “Do not sign requests” option: Selecting this option instructs CloudFront not to sign any requests from S3 origins. This is appropriate if your client applications always sign the requests or if your S3 bucket is public (not recommended). This option is particularly useful for bulk changes to OAC signing configurations across numerous CloudFront distributions.

Now that we understand OAC’s signing behaviors, let’s look at how to configure OAC and set KMS policies accordingly.

Configuring OAC When Creating a New CloudFront Distribution

1. Sign in to the AWS Management Console and navigate to the CloudFront console at https://console.aws.amazon.com/cloudfront/v3/home.
2. Select “Create Distribution.”
3. In the Origin configuration section, choose an S3 origin from the drop-down list.
4. Optionally, configure an origin path to append to the origin domain name for requests.
5. Enter a name to uniquely identify the origin configuration.
6. Choose the Origin access control settings (Figure 2).
7. You can select an existing origin access control or create a new one with one of the three signing options (Figure 1).
8. Follow the detailed instructions to configure the remaining settings.
9. Click “Create distribution” once all settings are finalized.

After successfully creating the distribution, update the S3 bucket policy using the policy statement provided on the distribution detail page (Figure 3). Note that the policy only includes permissions for reading objects from S3. To enable uploads, you must add “s3:PutObject” permissions to the policy.

Configuring OAC When Updating an Existing CloudFront Distribution

For additional insights on effective management strategies, check out this resource on millennial management. Furthermore, if you wish to understand the legal implications of your actions, consult the authoritative SHRM article on protected activities. Finally, for testimonials from Amazon warehouse workers regarding their onboarding experiences, visit Glassdoor, which is an excellent resource.