Securing Origins in CloudFront

Understand how the security of different origins is ensured by CloudFront.

We'll cover the following

Origins and origin groups
Security measures and access restrictions
Securing S3 origins
- Origin Access Identity
- Origin Access Control
Securing other origins
CloudFront pricing model

Origin Access Control in CloudFront refers to the mechanism by which users can control access to the origin servers from which CloudFront retrieves content. It allows users to specify rules and restrictions on which clients or resources can access the origin servers. This helps enhance security by ensuring only authorized entities can interact with the origin servers, thereby protecting sensitive data and resources.

Origins and origin groups

Origins represent the locations from which CloudFront retrieves content. When an edge location receives a request for an object not cached locally, it initiates an origin fetch from the relevant origin. Origin Groups provide resiliency by allowing configurations with multiple origins. These origins can include S3 buckets, AWS Media Package or Media Store endpoints, and web servers.

Security measures and access restrictions

CloudFront offers several security measures to control access to content:

Signed URLs or cookies can restrict viewer access, ensuring only authorized users can access distributions. Private distributions, trusted user groups, and signed URLs or cookies provide granular control over access permissions.
We can require users to use HTTPS to make the connection encrypted.
We can restrict users’ access to the content in the AWS origin through CloudFront distribution.
We can prevent users from specific geographical locations from having access to the CloudFront distribution.

Press + to interact

Understanding the configurations related to custom origins is crucial. Users can specify HTTPS and HTTP ports for custom origins, allowing flexibility in managing different services bound to specific ports. However, S3 origins do not support configurable ports, simplifying their configuration.

Securing S3 origins

S3 buckets serve as common origins for CloudFront distributions. They offer simplicity in integration and provide various configuration options. Users can specify the origin domain and path, controlling the endpoint and path within the S3 bucket from which CloudFront retrieves content.

Advanced features exclusive to S3 origins include Origin Access Control (OAC), which restricts access to S3 objects, and Legacy Cache settings, associating an Origin Access Identity (OAI) for customizing caching behavior. The primary reason for using OAC and OAI is to prevent direct access to the origin servers. Direct access bypasses the security and performance features offered by CloudFront, exposing the origin to potential security threats and compromising the integrity of the content delivery network.

Origin Access Identity

Origin Access Identity (OAI) in CloudFront offers a way to limit access to the origin server linked to a CloudFront distribution. We can set up the origin to grant access solely to requests carrying this identity by linking a unique access identity to a distribution. This enhances security by ensuring that only traffic originating from a CloudFront distribution, not directly from clients, can access an origin.

Origin Access Identity (OAI) is exclusive to S3 buckets. With OAI, CloudFront is an intermediary between viewers and the origin, ensuring that requests pass through CloudFront before reaching the origin server. By associating an OAI with a CloudFront distribution, users restrict access to the origin server solely to requests originating from CloudFront edge locations. This prevents unauthorized access to the origin and adds an additional layer of security to the content delivery process.

Press + to interact

In addition to enhancing security, OAC and OAI improve performance by optimizing the content delivery process. By routing requests through CloudFront edge locations, these mechanisms reduce latency and improve response times, providing end users with faster and more efficient content delivery.

Note: While OAIs were traditionally used for S3 origins, AWS recommends using OAC for enhanced security. Users can configure OAC settings to control signing behavior and prevent CloudFront bypassing. Adjusting bucket policies ensures that access to S3 origins is restricted to CloudFront distributions, aligning with security best practices.

Securing other origins

When dealing with non-S3 origins, CloudFront does not offer OAIs like those available for S3 origins. Instead, custom headers play a crucial role in ensuring access control. Requests originating from CloudFront edge locations must contain specific headers to generate a response from the origin server. These custom headers, configured within CloudFront, are injected at the edge locations, allowing custom origins to verify that requests originate from authorized sources.

Furthermore, another method to enhance security for non-S3 origins is by specifying IP ranges for CloudFront edge locations. Users can establish a firewall around the custom origin by defining specific IP ranges corresponding to CloudFront edge locations, allowing traffic only from the specified IP addresses. This traditional approach adds an extra layer of security by restricting access to the origin server based on predefined IP addresses, thereby safeguarding against unauthorized access attempts.

Press + to interact

CloudFront pricing model

There is no extra charge for transferring cacheable data to CloudFront edge locations from AWS resources. CloudFront only bills for data transferred out from its edge locations and for HTTP or HTTPS requests. In its free tier, CloudFront offers the following:

1 TB of data transfer out per month
10,000,000 HTTP or HTTPS requests per month
2,000,000 CloudFront Function invocations per month
Free SSL certificates

Note: For each custom SSL certificate associated with one or more CloudFront distributions using the dedicated IP, we have to pay $600.

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena