Origin Access Identity in AWS

Learn via video courses


A Content Delivery Network (CDN) called Amazon CloudFront expedites the transmission of both static and dynamic web material, including HTML, CSS, JavaScript, and pictures. It works with other AWS products including Amazon Simple Storage Service (S3) and Amazon Elastic Compute Cloud (EC2). Using an Origin Access Identity (OAI) to limit access to the original content kept in an S3 bucket or an EC2 instance is one of CloudFront's key features. This can help safeguard confidential information or for restricting access to information meant solely for paying customers.

What is Amazon CloudFront Origin Access Identity (OAI)?

An origin access identity (OAI) is a unique CloudFront user connected to a distribution that is used to authorize access to the distribution's origin. Through the AWS Management Console or the AWS Command Line Interface, an OAI can be built and managed (CLI).

amazon cloudfront origin access identity

An OAI can be used to implement a CacheBehavior in a CloudFront distribution once it has been created. Depending on the permissions of the OAI, this CacheBehavior can be set to either permit or prohibit access to the origin. An OAI might be used, for instance, to restrict access to the origin of requests that originate from CloudFront or to a particular user or user group.


To create an OAI using the AWS CLI, you can use the create-cloud-front-origin-access-identity command. Here is an example of the syntax:


The create-cloud-front-origin-access-identity command returns a JSON object that includes the OAI's ID, ARN, and other information. Here is an example of the returned JSON object:

The OAI's ID, a unique identifier for the OAI, is contained in the Id field of the returned JSON object. The CallerReference and Comment fields that were specified when the OAI was created are included in the CloudFrontOriginAccessIdentityConfig field's setting for the OAI. An entity tag that is present in the ETag field can be used to confirm that the OAI was successfully formed.

Why Should You Use CloudFront S3 OAI?

Utilizing CloudFront S3 OAI has several advantages:

  • Enhanced Security: You can lessen the possibility of unwanted access to sensitive content by utilizing an OAI to restrict access to the origin.
  • Greater Control Over Content Access: Access to the origin can be granted or revoked using OAI on a per-user or per-group basis. Different user groups may benefit from having access at various levels thanks to this.
  • Reduced Risk of Hotlinking: The act of displaying an image or other piece of content on a webpage by making a direct link to that image or piece of content on another website is known as hotlinking. As a result, the content owner may incur higher prices and increased bandwidth usage. You can avoid hotlinking and lower the possibility of unforeseen costs by utilizing an OAI to restrict access to the origin.
  • Enhanced Delivery of Content: By utilizing CloudFront's extensive network of edge locations with an OAI, you can enhance the delivery of your content. Your content may be delivered to users more quickly as a consequence.
  • Improved Control Over Control Distribution: You may manage the distribution of your material by utilizing an OAI. For instance, you could use an OAI to restrict access to the origin of requests from a particular set of users or IP addresses.
  • Enhanced Scalability: High traffic volumes can be handled using CloudFront, which scales automatically to meet demand. You can increase the scalability of your content distribution by using CloudFront with an OAI to offload the delivery of your content to CloudFront's extensive network of edge locations.
  • Cost-Friendly: You could save money on bandwidth charges by utilizing CloudFront with an OAI. Because CloudFront's edge locations are built to cache material locally, requests for your content can be fulfilled from the one that is most convenient for the user, minimizing the need for data transfer over the Internet. As a result, it might be less expensive to distribute your material to users all over the world.
  • Improved Performance: The edge locations of CloudFront are made to provide content swiftly and effectively. By combining CloudFront with an OAI, you may take use of its extensive network of edge locations to boost the efficiency of your content delivery.

Set Up OAI for New CloudFront Distributions

set up oai for new cloudfront distributions

  • Select Create after giving your OAI a name.

Create new cloudfront distributions

  • The next option you must choose is Yes, update the bucket policy. Your S3 bucket's policies will be updated as a result. It will add code to ensure that your files in S3 buckets are only accessible through this CloudFront distribution.
  • For this kind of distribution, it's also a good idea to choose Redirect HTTP to HTTPS or HTTPS exclusively.

set up oai for new cloudfront distributions

  • Everything else can be left at its default state. Then select Create distribution.
  • Don't forget to disable all public access in your S3 bucket's permissions. Another change should be a new bucket policy.

Create Distribution

Set Up OAI for Existing CloudFront Distributions

  • Navigate to CloudFront Console.
  • You can utilize an OAI if you already have one. By selecting Origin access identities, you can create one if you don't already have one.

Origin access identities

  • After that, select Create origin access identity.

Create origin access identity

  • Select Create after giving your OAI a name.

giving your OAI a name

  • Return to the CloudFront distributions page and pick the S3 origin distribution.

Return to the CloudFront distributions page

  • Click on the Origins tab. Then choose Edit after selecting the Amazon S3 origin.

Edit oai

  • Select Save changes. It should be noted that it may take some time for the switch to use the CloudFront URLs rather than the S3 URLs.

Migrating From Origin Access Identity (OAI) to Origin Access Control (OAC)

Using an OAI, Amazon S3's Origin Access Control (OAC) functionality enables you to manage who has access to the objects in your bucket. Although it is implemented at the bucket level rather than the distribution level, it is analogous to employing an OAI with CloudFront.

The procedures below can be used if you currently use an OAI with CloudFront and want to switch to using an OAC with S3:

  • As stated in the previous section, you can create an OAI using the AWS Management Console or the AWS CLI. The OAI's ID must be noted because it will be required in the following stage.

migrating from oai to origin access control

  • Go to this provided link to access the S3 console.
  • Choose the bucket you want to move over to OAC.

migrating from oai to origin access control

  • Select the Edit bucket policy button after selecting the Properties tab.
  • Set the OAI's ID as the principal and enable the s3:GetObject action in the bucket policy. Here is an illustration of the bucket policy:
  • The bucket policy can be saved by clicking the Save button.

Advanced Settings For Origin Access Control

Advanced settings in the CloudFront origin access control feature are only meant for certain use scenarios. Unless you have a unique need for the advanced options, use the suggested settings.

A setting called Signing behavior (in the console), or SigningBehavior, is part of Origin access control (in the API, CLI, and AWS CloudFormation). The following possibilities are available with this setting:

  • Always Sign Requests For Origin: Use the Sign requests (recommended) setting in the console. With this configuration, CloudFront always signs all requests it sends to the origin of the S3 bucket.
  • Never Sign Origin Requests: This option's name is Never sign requests using the API, CLI, or AWS CloudFormation, and Do not sign requests in the console. To disable origin access control for all sources in all distributions that employ it, use this parameter. When compared to eliminating an origin access restriction from each origin and distribution that uses it individually, can save time and effort. This setting prevents CloudFront from signing any requests it sends to the origin of the S3 bucket.
  • You Shouldn't Alter the Viewer (Client) Authorization Header: This option's name does not override the authorization header in the COnsole. When you only want CloudFront to sign origin requests when the associated viewer request does not have an Authorization header, use this setting. With this setting, when an Authorization header is present in the viewer request, CloudFront passes it on, but when one is not, it signs the origin request and adds its own Authorization header.


  • A unique CloudFront user called CloudFront origin access identity (OAI) in AWS is used to grant access rights to a distribution's origin. Through the AWS Management Console or the AWS CLI, OAI may be set up and managed, helping to increase the security and control of access to the origin.
  • Utilizing CloudFront S3 OAI will give you greater control over how and where the material is distributed while also enhancing the security, scalability, and performance of content delivery.
  • It can be used to limit access to the source, stop hotlinking, and lessen the possibility of unforeseen charges.
  • The AWS Management Console or the AWS CLI can be used to create an OAI, which can then be specified in the distribution's origin settings to configure OAI for a new CloudFront distribution.
  • The AWS Management Console or the AWS CLI can be used to create an OAI, which can then be used to adjust the distribution's cache behavior to use the OAI.
  • You can switch from OAI to OAC by creating an OAI using the AWS Management Console or AWS CLI, then updating the bucket policy to permit access to the OAI.
  • Selecting the bucket as the origin and turning on Restrict Bucket Access in the Restrict Bucket Access column, you can adjust your CloudFront distribution to work with the OAC.