Restricting Access to AI Generated Content with CloudFront OAC

Question

Pulumi · Accepted Answer

To restrict access to AI-generated content using AWS CloudFront, we are going to utilize the Origin Access Control (OAC) feature. Origin Access Control helps you to secure your content by ensuring that only CloudFront can access your origin, and it cannot be accessed directly by users over the Internet. This is achieved by setting up CloudFront to forward requests to the origin, such as an S3 bucket containing your AI-generated content, while denying direct access requests to the bucket.

We will create a CloudFront distribution and an Origin Access Control to enforce this behavior. Additionally, we will set up an S3 bucket that will host the AI-generated content and configure it to work with the Origin Access Control.

Here's the step-by-step Pulumi program to set up such a configuration:

1. Create an S3 bucket to host the AI-generated content.
2. Create an Origin Access Identity (OAI) that CloudFront will use to authenticate with supported AWS origins.
3. Create an Origin Access Control to protect the origin.
4. Set up a CloudFront distribution and configure it to use the OAI for the bucket content.
5. Attach the Origin Access Control to the CloudFront distribution.
6. Set up the S3 bucket policy to restrict access to only the Origin Access Identity.

Let's see how you can write a Pulumi program to create this setup in Python:

```python
import pulumi
import pulumi_aws as aws

# Step 1: Create an S3 bucket for hosting AI-generated content
content_bucket = aws.s3.Bucket("aiContentBucket",
    acl="private")

# Step 2: Create an Origin Access Identity for use with CloudFront
origin_access_identity = aws.cloudfront.OriginAccessIdentity("oai")

# Step 3: Create an Origin Access Control to allow only CloudFront to access the content
origin_access_control = aws.cloudfront.OriginAccessControl("oac",
    origin_access_control_config=aws.cloudfront.OriginAccessControlOriginAccessControlConfigArgs(
        name="my-oac",
        description="OAC for restricting access to AI content",
        signing_behavior="always",
        signing_protocol="sigv4",
        origin_access_control_origin_type="s3"
    ))

# Step 4: Create a CloudFront distribution with OAI and OAC
distribution = aws.cloudfront.Distribution("contentDistribution",
    enabled=True,
    origins=[aws.cloudfront.DistributionOriginArgs(
        origin_id="myS3Origin",
        domain_name=content_bucket.bucket_regional_domain_name,
        s3_origin_config=aws.cloudfront.DistributionOriginS3OriginConfigArgs(
            origin_access_identity=origin_access_identity.cloudfront_access_identity_path
        ),
        origin_access_control_id=origin_access_control.id
    )],
    default_cache_behavior=aws.cloudfront.DistributionDefaultCacheBehaviorArgs(
        allowed_methods=["GET", "HEAD"],
        cached_methods=["GET", "HEAD"],
        target_origin_id="myS3Origin",
        viewer_protocol_policy="redirect-to-https",
        min_ttl=0,
        default_ttl=3600,
        max_ttl=86400,
        compress=True,
        forwarded_values=aws.cloudfront.DistributionDefaultCacheBehaviorForwardedValuesArgs(
            query_string=False,
            cookies=aws.cloudfront.DistributionDefaultCacheBehaviorForwardedValuesCookiesArgs(
                forward="none"
            )
        )
    ),
    restrictions=aws.cloudfront.DistributionRestrictionsArgs(
        geo_restriction=aws.cloudfront.DistributionRestrictionsGeoRestrictionArgs(
            restriction_type="none"
        )
    ),
    viewer_certificate=aws.cloudfront.DistributionViewerCertificateArgs(
        cloudfront_default_certificate=True
    )
)

# Step 5: Update the S3 bucket policy to allow CloudFront OAI access and block all other access
s3_policy = aws.s3.BucketPolicy("s3Policy",
    bucket=content_bucket.id,
    policy=pulumi.Output.all(content_bucket.id, origin_access_identity.iam_arn).apply(
        lambda args: f'''{{
            "Version": "2012-10-17",
            "Statement": [
                {{
                    "Effect": "Allow",
                    "Principal": {{
                        "AWS": "{args[1]}"
                    }},
                    "Action": "s3:GetObject",
                    "Resource": "arn:aws:s3:::{args[0]}/*"
                }},
                {{
                    "Effect": "Deny",
                    "Principal": "*",
                    "Action": "s3:*",
                    "Resource": "arn:aws:s3:::{args[0]}/*",
                    "Condition": {{
                        "StringNotEquals": {{
                            "aws:SourceArn": "{distribution.arn}"
                        }}
                    }}
                }}
            ]
        }}'''
    )
)

# Export the distribution domain name and bucket name
pulumi.export('cloudfront_distribution_domain_name', distribution.domain_name)
pulumi.export('content_bucket_name', content_bucket.bucket)
```

In this program:
- We create an S3 bucket to store AI-generated content.
- We create an Origin Access Identity for CloudFront distributions to authenticate against the S3 bucket.
- We define an Origin Access Control to configure the behavior and protocol for CloudFront when accessing the S3 bucket.
- A CloudFront Distribution resource is created with a default cache behavior to handle GET and HEAD requests for the content, forwarding these requests to our S3 origin via the OAI.
- We use the Bucket Policy to restrict the S3 bucket's content access to the Origin Access Identity we've created and to deny access if the request doesn't originate from our CloudFront distribution.
- Finally, we export the CloudFront distribution domain name and the S3 bucket name for easy access and verification.

Make sure you have the proper AWS credentials configured before running the Pulumi program. Once this program is executed, it will provision all necessary resources in your AWS account to secure your AI-generated content using AWS CloudFront and Origin Access Control.