Description:

An Origin Access Identity (OAI) is used for sharing private content via CloudFront. The OAI is a virtual user identity that will be used to give your CloudFront distribution permission to fetch a private object from your origin server (e.g. S3 bucket).


Rationale:

 In general, if you’re using an Amazon S3 bucket as the origin for a CloudFront distribution, you can either allow everyone to have access to the files there, or you can restrict access. If you restrict access by using, for example, CloudFront signed URLs or signed cookies, you also won’t want people to be able to view files by simply using the direct Amazon S3 URL for the file. Instead, you want them to only access the files by using the CloudFront URL, so your protections work.


Impact:

Your CloudFront OAI can access files in the bucket on behalf of viewers who are requesting them through CloudFront. Viewers can't use Amazon S3 URLs to access your files outside of CloudFront.


Default Value:

When creating a CloudFront distribution, the buckets allows public access by default i.e., OAI is chosen to be Disabled.

Pre-Requisite:

 Ensure that the Amazon S3 origin of your CloudFront distribution is configured as a REST API endpoint. This resolution doesn't apply to S3 origins that are configured as a website endpoint.

Remediation:

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console 

  2. Go to CloudFront service at https://console.aws.amazon.com/cloudfront/ 

  3. Select the Distributions on the left navigation pane 

  4.  Select the CDN distribution that you want to examine and click on the ID. 

  5. On the Origins tab, select the entry that has the Origin Type set to desired Origin, then look for Origin Access Identity in the details.

  6. If the field is empty, Origin Access Identity is Not Enabled. 


Using AWS CLI:

  1. List Distributions

    aws cloudfront list-distributions
  2. Get the configuration information about a distribution using id.

    aws cloudfront get-distribution-config
    	--id E7GGTQ8UCFC4G
    	--query 'DistributionConfig.Origins.Items[*].S3OriginConfig.OriginAccessIdentity'


Look for OriginAccessIdentity in the output.

If empty OriginAccessIdentity element is present, viewers will be able to access objects using either the CloudFront URL or the Amazon S3 URL.


Implementation steps:

Using AWS Console

  1. Login to the AWS Management Console

  2. Go to CloudFront service at https://console.aws.amazon.com/cloudfront/ 

  3. On the Distributions page, select the CDN distribution that you want to modify and click on the ID.

  4. On the Origins tab, select the entry that has the Origin Type set to desired Origin.

  5. Click EDIT after choosing the desired origin.

  6. On the Origin Settings page, Select Yes use OAI to restrict bucket access only to CloudFront.

  7. Select Create a New Identity option next to Origin Access Identity to create the necessary origin access identity for the origin.

  8. Select Yes, Update Bucket Policy for Grant Read Permissions on Bucket setting to automatically grant read permission to the new origin access identity associated with the distribution S3 origin.

  9. And finally save changes.


Using AWS CLI:

aws cloudfront update-cloud-front-origin-access-identity \
    --id E74FTE3AEXAMPLE \
    --if-match E2QWRUHEXAMPLE \
    --cloud-front-origin-access-identity-config \
        CallerReference=cli-example,Comment="Example OAI Updated"

You can accomplish the same thing by providing the OAI configuration in a JSON file, as shown in the following example:

aws cloudfront update-cloud-front-origin-access-identity \
    --id E74FTE3AEXAMPLE \
    --if-match E2QWRUHEXAMPLE \
    --cloud-front-origin-access-identity-config file://OAI-config.json

The file OAI-config.json is a JSON document in the current directory that contains the following:

{
    "CallerReference": "cli-example",
    "Comment": "Example OAI Updated"
}

Whether you provide the OAI configuration with a command line argument or a JSON file, the output is the same:

{
    "ETag": "E9LHASXEXAMPLE",
    "CloudFrontOriginAccessIdentity": {
        "Id": "E74FTE3AEXAMPLE",
        "S3CanonicalUserId": "cd13868f797c227fbea2830611a26fe0a21ba1b826ab4bed9b7771c9aEXAMPLE",
        "CloudFrontOriginAccessIdentityConfig": {
            "CallerReference": "cli-example",
            "Comment": "Example OAI Updated"
        }
    }
}


Backout Plan:

  1. From the Origins tab of the selected distribution, choose the origin that you want to modify and click EDIT

  2. Under S3 bucket access, choose Don’t use OAI and save changes.



Note:

When AWS CloudFront updates the origin bucket policy, it does not remove existing permissions so if your application users have permission to access the objects in your origin S3 bucket using S3 URLs, you will need to remove the existing bucket permissions.


Reference:

Restricting access to Amazon S3 content by using an origin access identity (OAI) - Amazon CloudFront 

cloudfront — AWS CLI 1.20.48 Command Reference 

update-cloud-front-origin-access-identity — AWS CLI 1.20.50 Command Reference