Restrict access to s3 static website behind a cloudfront distribution

3
votes

I want to temporarily restrict users from being able to access my static website hosted in s3 which sits behind a cloudfront distribution.

Is this possible and if so what methods could i use to implement this?

I've been able to restrict specific access to my s3 bucket by using a condition in the bucket policy which looks something like this:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Principal": {
              "AWS": "*"
          },
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::my-bucket/*",
          "Condition": {
              "IpAddress": {
                  "aws:SourceIp": "12.34.56.73/32"
              }
          }
      }
  ]
}

which works and restricts my s3 bucket to my ip, however this means that the cloudfront url gets 403 forbidden: access denied.

When reading the AWS docs, it suggests that to restrict specific access to s3 resources, use an Origin Access Identity. However they specify the following:

If you don't see the Restrict Bucket Access option, your Amazon S3 origin might be configured as a website endpoint. In that configuration, S3 buckets must be set up with CloudFront as custom origins and you can't use an origin access identity with them.

which suggests to me that i can't use it in this instance. Ideally i'd like to force my distribution or bucket policy to use a specific security group and control it that way so i can easily add/remove approved ip.

2
amazon-web-servicesamazon-s3amazon-cloudfront
Do you want to just restrict them from accessing directly S3 or both S3 and CloudFront?kichik
@kichik both ideallygardni

2 Answers

5
votes

You can allow CloudFront IP addresses on CloudFront because static website endpoint doesn't support Origin access identity. Here is the list of CloudFront IP addresses: http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

2
votes

This link also explains how you can limit access via referral headers https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/

You can tell CloudFront to add a header to every request and then modify your S3 bucket policy to require that header.

E.g.

{
  "Version":"2012-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests originating from www.example.com and example.com.",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition":{
        "StringLike":{"aws:Referer":"mysecretvalue"}
      }
    }
  ]
}