How do I create an AWS CloudFront Origin Access Identity?
In this guide, we will create an AWS CloudFront Origin Access Identity (OAI) using Pulumi. An OAI is used to restrict access to S3 bucket content, ensuring that only CloudFront can access the objects. This enhances security by preventing direct access to the S3 bucket.
We will define the necessary resources to set up a CloudFront distribution with an OAI and link it to an S3 bucket.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create an S3 bucket
const bucket = new aws.s3.Bucket("myBucket", {
acl: "private", // Ensure the bucket is private
});
// Create a CloudFront Origin Access Identity
const originAccessIdentity = new aws.cloudfront.OriginAccessIdentity("myOAI", {
comment: "OAI for my S3 bucket",
});
// Create a CloudFront distribution
const distribution = new aws.cloudfront.Distribution("myDistribution", {
enabled: true,
origins: [{
domainName: bucket.bucketRegionalDomainName,
originId: bucket.arn,
s3OriginConfig: {
originAccessIdentity: originAccessIdentity.cloudfrontAccessIdentityPath,
},
}],
defaultCacheBehavior: {
targetOriginId: bucket.arn,
viewerProtocolPolicy: "allow-all",
allowedMethods: ["GET", "HEAD"],
cachedMethods: ["GET", "HEAD"],
forwardedValues: {
queryString: false,
cookies: {
forward: "none",
},
},
defaultTtl: 3600,
maxTtl: 86400,
minTtl: 0,
},
priceClass: "PriceClass_100",
restrictions: {
geoRestriction: {
restrictionType: "none",
},
},
viewerCertificate: {
cloudfrontDefaultCertificate: true,
},
});
// Grant CloudFront access to the S3 bucket
const bucketPolicy = new aws.s3.BucketPolicy("bucketPolicy", {
bucket: bucket.id,
policy: pulumi.all([bucket.arn, originAccessIdentity.iamArn]).apply(([bucketArn, oaiArn]) => JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
AWS: oaiArn,
},
Action: "s3:GetObject",
Resource: `${bucketArn}/*`,
}],
})),
});
// Export the CloudFront distribution domain name
export const cloudfrontUrl = distribution.domainName;
Key Points:
- S3 Bucket: We create a private S3 bucket to store our content.
- Origin Access Identity (OAI): This ensures that only CloudFront can access the S3 bucket.
- CloudFront Distribution: Configured to use the OAI to access the S3 bucket.
- Bucket Policy: Grants the OAI permission to access objects in the S3 bucket.
Summary:
In this guide, we created an AWS CloudFront Origin Access Identity and linked it to a CloudFront distribution to securely serve content from an S3 bucket. This setup ensures that the S3 bucket content is only accessible through CloudFront, enhancing security.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.