Origin Access Identity in AWS

What is Amazon CloudFront Origin Access Identity (OAI)?

An origin access identity (OAI) is a unique CloudFront user connected to a distribution that is used to authorize access to the distribution's origin. Through the AWS Management Console or the AWS Command Line Interface, an OAI can be built and managed (CLI).

An OAI can be used to implement a CacheBehavior in a CloudFront distribution once it has been created. Depending on the permissions of the OAI, this CacheBehavior can be set to either permit or prohibit access to the origin. An OAI might be used, for instance, to restrict access to the origin of requests that originate from CloudFront or to a particular user or user group.

Syntax

To create an OAI using the AWS CLI, you can use the create-cloud-front-origin-access-identity command. Here is an example of the syntax:

Returns

The create-cloud-front-origin-access-identity command returns a JSON object that includes the OAI's ID, ARN, and other information. Here is an example of the returned JSON object:

The OAI's ID, a unique identifier for the OAI, is contained in the Id field of the returned JSON object. The CallerReference and Comment fields that were specified when the OAI was created are included in the CloudFrontOriginAccessIdentityConfig field's setting for the OAI. An entity tag that is present in the ETag field can be used to confirm that the OAI was successfully formed.

Why Should You Use CloudFront S3 OAI?

Utilizing CloudFront S3 OAI has several advantages:

• Enhanced Security: You can lessen the possibility of unwanted access to sensitive content by utilizing an OAI to restrict access to the origin.
• Greater Control Over Content Access: Access to the origin can be granted or revoked using OAI on a per-user or per-group basis. Different user groups may benefit from having access at various levels thanks to this.
• Reduced Risk of Hotlinking: The act of displaying an image or other piece of content on a webpage by making a direct link to that image or piece of content on another website is known as hotlinking. As a result, the content owner may incur higher prices and increased bandwidth usage. You can avoid hotlinking and lower the possibility of unforeseen costs by utilizing an OAI to restrict access to the origin.
• Enhanced Delivery of Content: By utilizing CloudFront's extensive network of edge locations with an OAI, you can enhance the delivery of your content. Your content may be delivered to users more quickly as a consequence.
• Improved Control Over Control Distribution: You may manage the distribution of your material by utilizing an OAI. For instance, you could use an OAI to restrict access to the origin of requests from a particular set of users or IP addresses.
• Enhanced Scalability: High traffic volumes can be handled using CloudFront, which scales automatically to meet demand. You can increase the scalability of your content distribution by using CloudFront with an OAI to offload the delivery of your content to CloudFront's extensive network of edge locations.
• Cost-Friendly: You could save money on bandwidth charges by utilizing CloudFront with an OAI. Because CloudFront's edge locations are built to cache material locally, requests for your content can be fulfilled from the one that is most convenient for the user, minimizing the need for data transfer over the Internet. As a result, it might be less expensive to distribute your material to users all over the world.
• Improved Performance: The edge locations of CloudFront are made to provide content swiftly and effectively. By combining CloudFront with an OAI, you may take use of its extensive network of edge locations to boost the efficiency of your content delivery.

Set Up OAI for New CloudFront Distributions

• Navigate to CloudFront Console.
• Go to Create Distribution.

• Select Create after giving your OAI a name.

• The next option you must choose is Yes, update the bucket policy. Your S3 bucket's policies will be updated as a result. It will add code to ensure that your files in S3 buckets are only accessible through this CloudFront distribution.
• For this kind of distribution, it's also a good idea to choose Redirect HTTP to HTTPS or HTTPS exclusively.

• Everything else can be left at its default state. Then select Create distribution.
• Don't forget to disable all public access in your S3 bucket's permissions. Another change should be a new bucket policy.

Set Up OAI for Existing CloudFront Distributions

• Navigate to CloudFront Console.
• You can utilize an OAI if you already have one. By selecting Origin access identities, you can create one if you don't already have one.

• After that, select Create origin access identity.

• Select Create after giving your OAI a name.

• Return to the CloudFront distributions page and pick the S3 origin distribution.

• Click on the Origins tab. Then choose Edit after selecting the Amazon S3 origin.

• Select Save changes. It should be noted that it may take some time for the switch to use the CloudFront URLs rather than the S3 URLs.

Migrating From Origin Access Identity (OAI) to Origin Access Control (OAC)

Using an OAI, Amazon S3's Origin Access Control (OAC) functionality enables you to manage who has access to the objects in your bucket. Although it is implemented at the bucket level rather than the distribution level, it is analogous to employing an OAI with CloudFront.

The procedures below can be used if you currently use an OAI with CloudFront and want to switch to using an OAC with S3:

• As stated in the previous section, you can create an OAI using the AWS Management Console or the AWS CLI. The OAI's ID must be noted because it will be required in the following stage.

• Go to this provided link to access the S3 console.
• Choose the bucket you want to move over to OAC.

• Select the Edit bucket policy button after selecting the Properties tab.
• Set the OAI's ID as the principal and enable the s3:GetObject action in the bucket policy. Here is an illustration of the bucket policy:

• The bucket policy can be saved by clicking the Save button.

Advanced Settings For Origin Access Control

Advanced settings in the CloudFront origin access control feature are only meant for certain use scenarios. Unless you have a unique need for the advanced options, use the suggested settings.

A setting called Signing behavior (in the console), or SigningBehavior, is part of Origin access control (in the API, CLI, and AWS CloudFormation). The following possibilities are available with this setting:

• Always Sign Requests For Origin: Use the Sign requests (recommended) setting in the console. With this configuration, CloudFront always signs all requests it sends to the origin of the S3 bucket.
• Never Sign Origin Requests: This option's name is Never sign requests using the API, CLI, or AWS CloudFormation, and Do not sign requests in the console. To disable origin access control for all sources in all distributions that employ it, use this parameter. When compared to eliminating an origin access restriction from each origin and distribution that uses it individually, can save time and effort. This setting prevents CloudFront from signing any requests it sends to the origin of the S3 bucket.
• You Shouldn't Alter the Viewer (Client) Authorization Header: This option's name does not override the authorization header in the COnsole. When you only want CloudFront to sign origin requests when the associated viewer request does not have an Authorization header, use this setting. With this setting, when an Authorization header is present in the viewer request, CloudFront passes it on, but when one is not, it signs the origin request and adds its own Authorization header.