Profile Applicability:

Level 1

Description:

Amazon CloudFront is a content delivery network (CDN) that can distribute content from various origins, including Amazon S3 buckets. To enhance security, Origin Access Control (OAC) is used to restrict direct access to the S3 bucket, ensuring that only CloudFront can access the content. When a CloudFront distribution uses an S3 origin, enabling OAC ensures that CloudFront is the only allowed source to retrieve the content from the S3 bucket, preventing unauthorized access from the public internet.

Rationale:

Using Origin Access Control (OAC) with CloudFront distributions helps secure your S3 buckets by ensuring that only CloudFront can access the content. This prevents direct public access to the S3 bucket, thereby reducing the risk of unauthorized access, data breaches, and misuse of resources. It is a best practice to enable OAC for all CloudFront distributions that serve content from S3 to enforce strict security controls.

Impact:

Pros:

  • Enhances security by ensuring that only CloudFront can access the S3 bucket.

  • Prevents direct public access to the S3 bucket.

  • Simplifies access control and prevents unauthorized resource consumption.

Cons:

  • Requires additional configuration in CloudFront and S3.

  • Misconfigurations may result in broken content delivery or access issues

Default Value:

By default, Cloud Front distributions do not automatically use Origin Access Control (OAC) for S3 origins. This feature needs to be explicitly enabled when configuring or updating the distribution.


Pre-requisite:

  • AWS IAM permissions:

    • cloudfront:DescribeDistributions

    • cloudfront:UpdateDistribution

    • s3:GetBucketPolicy

    • s3:PutBucketPolicy

  • AWS CLI installed and configured.

  • Basic understanding of CloudFront distributions, S3 buckets, and Origin Access Control.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudFront under Services.

  3. In the left-hand navigation panel, select Distributions.

  4. Find and select the CloudFront distribution with an S3 origin.

  5. Under the Origins tab, check if Origin Access Control (OAC) is enabled for the S3 origin.

    • If OAC is enabled, it will show Origin Access Control as Yes for the associated S3 origin.

    • If OAC is not enabled, it will be listed as None.

  6. To enable OAC, edit the origin settings and ensure that Origin Access Control is set to Yes. Save the changes.

Using AWS CLI:

To list CloudFront distributions and check their S3 origins, use the following command:

aws cloudfront list-distributions --query 'DistributionList.Items[*].{ID:Id,Origins:Origins.Items[*].DomainName}' --output table

For each CloudFront distribution, check if the S3 origin is using Origin Access Control by describing the distribution:

aws cloudfront get-distribution-config --id <distribution-id> --query 'DistributionConfig.Origins.Items[*].{DomainName:DomainName,OriginAccessControl:OriginAccessControl}' --output table
  • If OriginAccessControl is set to null or None, OAC is not enabled.

To enable Origin Access Control (OAC) for the distribution’s S3 origin, run:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distribution-config.json
  1.  The distribution-config.json should include the updated Origin Access Control configuration, where OAC is enabled for the S3 origin.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to CloudFront.

  2. In the Distributions section, select the desired CloudFront distribution with an S3 origin.

  3. Click on Origins and select the S3 origin.

  4. Edit the origin settings and enable Origin Access Control (OAC).

  5. Save the changes to apply the OAC configuration.

Using AWS CLI:

To enable Origin Access Control (OAC) for a CloudFront distribution, you need to modify the distribution configuration file:

 {
  "CallerReference": "unique-reference-id",
  "Comment": "Updated Distribution Config",
  "Origins": {
    "Quantity": 1,
    "Items": [
      {
        "Id": "S3-Origin-ID",
        "DomainName": "example-bucket.s3.amazonaws.com",
        "S3OriginConfig": {
          "OriginAccessIdentity": "origin-access-identity/cloudfront/EXAMPLE"
        }
      }
    ]
  }
}

Run the following command to update the distribution:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distribution-config.json

Verify that OAC is enabled:

aws cloudfront get-distribution-config --id <distribution-id> --query 'DistributionConfig.Origins.Items[*].{DomainName:DomainName,OriginAccessControl:OriginAccessControl}' --output table


Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudFront > Distributions.

  3. Select the distribution where OAC was enabled.

  4. Under the Origins tab, locate the S3 origin associated with the OAC.

  5. Edit the origin settings and remove the OAC configuration:

    • Revert to using Origin Access Identity (OAI) or allow public access (if applicable).

  6. Update the S3 bucket policy to remove permissions granted to the OAC.

  7. Save the changes and confirm the distribution is functioning as expected.

Using AWS CLI:

Retrieve the current configuration of the CloudFront distribution:

aws cloudfront get-distribution-config --id <distribution-id>

Update the distribution to remove the OAC configuration:

aws cloudfront update-distribution \
--id <distribution-id> \
--distribution-config <updated-config-file>
Update the S3 bucket policy to remove permissions for the OAC:
aws s3api put-bucket-policy --bucket <bucket-name> --policy <updated-policy-file>

  1. Verify the changes:

Note (Optional):

If you use AWS Identity and Access Management (IAM) or S3 Bucket Policies, make sure that the S3 bucket is configured to allow access only from the CloudFront distribution using OAC. This ensures that direct access to the bucket from external sources is denied.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.