Skip to content
Gallery
7. DNS, Caching and Performance Optimization
Share
Explore
Amazon Cloudfront

icon picker
OAI & OAC

Last edited 52 days ago by Kirtan Chavda

Origin Access Identity (OAI)

Origin Access Identity (OAI) is a mechanism that enhances the security of content delivery by restricting direct access to your Amazon S3 bucket, ensuring that content can only be accessed through Amazon CloudFront.

Key Features and Benefits
Restrict Direct S3 Access: OAI helps ensure that users cannot bypass CloudFront and directly access objects in your S3 bucket. This is achieved by denying access to direct S3 URLs and granting access only through CloudFront URLs.
CloudFront User Association: OAI is a special CloudFront user that you associate with your CloudFront distribution. This identity is granted permissions to access the S3 bucket.
Access Control: You modify the permissions on your S3 bucket to grant access to the OAI while denying access to other users. This ensures that only requests routed through CloudFront can access the content in the S3 bucket.
Integration with Signed URLs and Signed Cookies: OAI can be used in combination with signed URLs and signed cookies to further control access to your content. Signed URLs and cookies provide time-limited and request-specific access, adding an additional layer of security.
Prevent Unauthorized Access: By ensuring that only CloudFront can access your S3 bucket, OAI helps prevent unauthorized access and protects your content from being accessed directly through the S3 endpoint.

Functionality

Used in conjunction with signed URLs and signed cookies to prevent direct access to an S3 bucket, enforcing CloudFront controls.
image.png

Characteristics

OAI is a special CloudFront user associated with the distribution.
Permissions are adjusted on the Amazon S3 bucket to restrict access to the OAI.

Preventing Direct Access

If users attempt to access files directly via Amazon S3 URLs, access is denied.
Only the origin access identity has permission to access files in the S3 bucket, not users.

Usage

Helps enforce access controls implemented via CloudFront.
Ensures that content is served through CloudFront, providing additional security and control over content distribution.

Origin Access Control (OAC) (Recommended)

Amazon CloudFront's new feature, Origin Access Control (OAC), enhances security and feature integrations for accessing S3 origins compared to the traditional Origin Access Identity (OAI). OAC leverages IAM service principals for authentication and introduces several enhancements over OAI. AWS recommends using OAC instead of OAI due to its broader capabilities and improved functionality.

Key Enhancements of OAC Over OAI

Enhanced Security:
Short-term Credentials: OAC uses short-term credentials that are frequently rotated, reducing the risk of credential exposure.
Resource-based Policies: These policies strengthen the security posture of your distributions, providing better protection against attacks like the confused deputy problem.
Comprehensive HTTP Method Support:
OAC supports all HTTP methods, including GET, PUT, POST, PATCH, DELETE, OPTIONS, and HEAD.
Support for SSE-KMS:
OAC enables the downloading and uploading of S3 objects encrypted with SSE-KMS, enhancing security for sensitive data.
Access to All AWS Regions:
OAC supports accessing S3 in all AWS regions, including new regions launched after December 2022. In contrast, OAI is limited to existing regions and those launched before December 2022.
Service Principal for Bucket Policies: OAC requires you to configure your S3 bucket policy to allow access to the CloudFront service principal, which ensures that only CloudFront can access the bucket.
image.png

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.