Using AWS I am quite comfortable with the following scenario:
- Set up S3 bucket
example.com
as a static web site. - Create a distribution of
example.com
on CloudFront. - Use Route 53 and the certificate manager to allow browsing the S3 bucket content using HTTPS via CloudFront.
However as you know it would still possible to directly access the web site under its alternate URL directly from the S3 bucket using HTTP. I would like to prevent users from directly accessing the S3 bucket URL.
Several tutorials on the web, including the CloudFront documentation, say that I need to create an Origin Access Identity (OAI) and restrict access to the S3 bucket only to the CloudFront distribution using that OAI. However this documentation also says that I can't use OAI with an S3 bucket set up as a static website endpoint.
So that leaves me with a couple of questions that aren't clear to me from the documentation:
- If I turn off static website access to my S3 bucket
example.com
, once I connect it to CloudFront using an OAI, will I still be able to access the S3 bucket content via CloudFront over HTTPS? That is, does CloudFront provide "static web site accesss" to my S3 bucket even though I've turned off static website hosting for the bucket? - When configuring an S3 bucket for static web site hosting, S3 allows me to set up "routing rules" to redirect
foo.html
tobar.html
for example. If I turn off static web site hosting for my S3 bucket, how do I set up redirects? Does CloudFront provide similar routing rules that I can configure, or is there another way to accomplish this?