A SysOps administrator is reviewing AWS Trusted Advisor warnings and encounters a warning for an...

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

To ensure that users access objects in Amazon S3 by using only CloudFront URLs, the SysOps administrator should create an origin access identity (OAI) and grant it permissions to read objects in the S3 bucket.

Create an Origin Access Identity (OAI):

OAI is a special CloudFront user that you associate with your distribution to restrict access to the S3 bucket.

This ensures that only CloudFront can access the S3 bucket directly, and users must go through CloudFront to access the content.

Steps to Implement:

Open the CloudFront console.

Select your distribution and go to the "Origins and Origin Groups" tab.

Edit the S3 origin and create a new OAI or use an existing one.

Update the S3 bucket policy to grant the OAI read permissions.

Bucket Policy Example:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [OAI_ID]"

},

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::your-bucket-name/*"

}

]

}

Using an Origin Access Identity to Restrict Access to Your S3 Content