Public S3 CloudFront Origin

Detects the use of an S3 bucket as a CloudFront origin without an origin access identity

When S3 is used as an origin for a CloudFront bucket, the contents should be kept private and an origin access identity should allow CloudFront access. This prevents someone from bypassing the caching benefits that CloudFront provides, repeatedly loading objects directly from S3, and amassing a large access bill.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.

  2. Select the “Services” option and search for CloudFront. Step

  3. Select the “CloudFront Distribution” that needs to be verified.Step

  4. Click the “Distribution Settings” button from menu to get into the “CloudFront Distribution” configuration page. Step

  5. Click the “Origins and Origin Groups” button from the top menu to get into the “Origins” configuration page and select the “Origin” which needs to be verified.Step

  6. Click the “Edit” button from the “Origins” tab on the menu.Step

  7. On the Origin Settings, verify the “Restrict Bucket Access”.If Restrict Bucket Access is set to No then the access to the S3 bucket used as the origin is not secured.Step

  8. On the “Restrict Bucket Access” choose “Yes” so it requires that users always access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.Step

  9. On the “Origin Access Identity” choose “Create a New Identity” and if already have an origin access identity, click use an “Existing Identity”. Enter a comment that can be used to identify the new origin access identity.Step

  10. Click on the “Yes, Update Bucket Policy” on “Grant Read Permissions on Bucket” so CloudFront updates bucket permissions to grant the specified origin access identity the permission to read files in your bucket.Step

  11. Click on “Yes,Edit” button to save the changes.Step

  12. Navigate to “S3 bucket dashboard” and choose the S3 bucket used to verify the “Permissions” on S3 bucket.Step

  13. Click the “Permissons” tab from menu to get into the “Public access settings” for the bucket.Step

  14. Click on the “Edit” button and scroll down to “Manage public access control lists” and “Manage public bucket policies” to verify the “Permissions”. Select the “Permissions” and click on “Save” to make the contents of the S3 bucket private.Step

  15. Repeat the steps number 6 and 7 to verify origin access identity for CloudFront.