Muvi Blogs

Beyond The Buzz- Latest Insights From Muvi

Please wait while we enable your Account

0%

Contacting Amazon Web Services
Deploying Cloud Servers, Storage, Transcoding & Database Servers
Deploying Global CDN
Deploying Firewall & Enabling Security Measures
Deploying the CMS & Admin Module
Deploying Website, Mobile & TV Apps framework
Creating your FTP account
Finishing up all the modules
Preparing for launch

AWS CloudFront: Introducing Origin Access Control (OAC) To Secure Your S3 Origins 04 January 2023

AWS CloudFront Introducing Origin Access Control (OAC) To Secure Your S3 Origins

 

Amazon CloudFront is a leading global content delivery network (CDN) from Amazon Web Services (AWS) renowned for delivering applications, videos, websites and APIs to viewers across the globe at lightning fast speed.

Amazon S3 is one of the most used AWS architectures that is used as the origin to host content and CloudFront, which is used to deliver them to viewers. When using this architecture, customers can leverage CloudFront’s origin access identity (OAI) to secure S3 bucket access to CloudFront only. However, recently, AWS has introduced a new function named OAC that replaces OAI with some brand new features.

 

1.What is OAC?

 

AWS recently announced the new Origin Access Control (OAC) feature for CloudFront. This is a successor of the Origin Access Identity (OAI).As per our architecture we are using Amazon S3 as the origin to host content like websites and videos, and use CloudFront to deliver them to viewers. Now we are using CloudFront’s origin access identity (OAI) to secure S3 origin access to CloudFront only.

 

2.How is it more secure than OAI?

 

While OAI provides a secure way to access S3 origins to CloudFront, it has limitations such as not supporting granular policy configurations, HTTP and HTTPS requests that use the POST method in AWS regions that require AWS Signature Version 4 (SigV4), or integrating with SSE-KMS.To strengthen security and deepen feature integrations, AWS has introduced origin access control (OAC), a new feature that secures S3 origins by permitting access to the designated distributions only. OAC is based on an AWS best practice of using IAM service principals to authenticate with S3 origins.

 

Compared with OAI, some of the notable enhancements OAC provides include:

  • OAC is implemented with enhanced security practices like short term credentials, frequent credential rotations, and resource-based policies. They strengthen your distributions’ security posture and provide better protections against attacks like confused deputy.
  • Comprehensive HTTP methods support- OAC supports GET, PUT, POST, PATCH, DELETE, OPTIONS, and HEAD.
  • SSE-KMS – OAC supports downloading and uploading S3 objects encrypted with SSE-KMS.
  • Access S3 in all AWS regions – OAC supports accessing S3 in all AWS regions, including existing regions and all future regions. In contrast, OAI will only be supported in existing AWS regions and regions launched before December 2022.

 

3. How can we create/enable this feature?

 

  1. Sign in to the AWS Management Console and open the CloudFront console.
  2. Choose Create Distribution.
  3. In the Origin configuration section, select an S3 origin from the Origin domain drop-down list.
  4. You can optionally configure an origin path to append to the origin domain name for origin requests.
  5. Enter a name to uniquely identify the current origin configuration.
  6. Choose Origin access control settings.

    7. You can choose an existing origin access control or create a new control setting with one of three signing options.

create control setting

 

  1. Follow the detailed instructions here on how to configure the rest of the settings
  2. Select ‘Create distribution’ at the bottom of the page once all the configuration settings have been chosen
  3. Once the distribution is successfully created, you must update the S3 bucket policy, you can reference the policy statement provided on distribution detail page (Figure 3)
  4. Note that the policy provided only includes permissions to read objects from S3. If you would like to also upload objects to S3, you must update the policy with additional permissions for “s3:PutObject”.

 

 

 

4.How can we configure OAC when updating an existing CloudFront distribution ?

 

  1. Sign in to the AWS Management Console and open the CloudFront console.
  2. Select one of the distributions from the list
  3. Select the Origins tab and choose the S3 origin which you want to associate with an origin access control setting
  4. If the origin is not using any access mechanism, it will show as public. If the origin is already using OAI, it will show as “Legacy access identifies”. To use OAC, select “Origin access control settings” and choose an existing origin access control or create a new control setting with one of three signing options.

Edit Origin

 

5. You must update the S3 policy to allow CloudFront IAM service principal and your distribution resource to access the S3 bucket. Unlike configuring origin access when creating distribution where you can update the policy only after the distribution is created, when updating a distribution, you can, and we indeed recommend, that you update the policy to allow access to both OAI and OAC, prior to saving the origin configuration, to reduce the service downtime to zero. The following is a sample policy that allows access to both OAI and OAC.

Code New

 

6. Similar to configure OAC when creating a distribution, the policy CloudFront provided only includes permissions to read objects from S3. If you would like to also upload objects to S3, you must update the policy with additional permissions for “s3:PutObject

7. At the bottom of the page, choose Save

5. How can we Enable SSE-KMS for CloudFront OAC ?

 

AWS Well-Architected recommends protecting our data in transit and at rest. If we are using OAI, your data is already protected in transit, and we can  protect our data at rest using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).

 

We need to configure your KMS policy to allow CloudFront IAM service principal to access our KMS keys. Adding aws:SourceArn condition key allows only a specific CloudFront distribution to access SSE-KMS encrypted objects using this key policy.

 

  1. Open the KMS console.
  2. Select the customer managed KMS key that is used to encrypt the content in the S3 origin
  3. Select the Key policy tab

4. Update the KMS key policy to give access to CloudFront Service Principle

service principle

 

6.Do I need to migrate to OAC?

 

To answer this question CloudFront supports both the new OAC and legacy OAI. AWS recommends using OAC for its latest security best practices and additional functionalities. One limitation of OAI over OAC will be, OAI will only be supported in existing AWS regions and regions launched before December 2022 but CloudFront Origin Access Control is now available worldwide except for AWS China regions.

 

Wrapping Up,

AWS CloudFront origin access control is now available globally. In this blog, I have tried to explain what OAC is and how it is different from OAI in the AWS management console itself. Although OAI provides ample security, OAC is recommended for enhanced security as it secures S3 origins by permitting access to the designated distributions only.

 

This blog has been written by Abinash Bhutia

 

 

Don't forget to share this post!


Sreejata Basu
Sreejata is Senior Content Writer for Muvi’s Marketing unit. She is a passionate writer with a background in English Literature and music. By week Sreejata spends her time in the corporate world of Muvi, but on weekends she likes to take short hiking trips, watch movies and read interesting travelogues.

Latest Posts

Try Muvi One free for 14 days

No Credit Card Required

.muvi.com
Your website will be at https://yourname.muvi.com, you can change this later.

Related Blogs
How to Develop Your Own LG TV WebOS App Without Coding?

How to Develop Your Own LG TV WebOS App Without Coding?

  In 2021, LG TVs held an 18.9% share of the global television market. We don’t need to tell you...

20 January 2023
OTT Business Model 2023 - How OTT Platforms Make Money?

OTT Business Model 2023 - How OTT Platforms Make Money?

  Are you eager to know about How OTT platforms make money? In this blog, we will discuss how OTT...

18 January 2023
What Are The Different Types of Cyber Attacks on OTT Platforms?

What Are The Different Types of Cyber Attacks on OTT Platforms?

  Cybercrimes were predicted to inflict damages amounting to US$ 6 trillion in 2021. In that scenario, cybercrime would have...

17 January 2023
A Complete Guide to Growing Your Video Membership Site

A Complete Guide to Growing Your Video Membership Site

  The demand for video membership sites has grown exponentially over the past few years making it a highly profitable...

17 January 2023
[New Tutorial] Screen Share your Roku Device on your Laptop for Online Meetings [Zoom / GMeet]

[New Tutorial] Screen Share your Roku Device on your Laptop for Online Meetings [Zoom / GMeet]

  If you are a Roku App developer, then you must have faced the Roku TV Screen sharing issue multiple...

13 January 2023

Try Muvi One
Free for 14 days

Launch your Multi-Screen Streaming Service
Instantly
START FREE
close-link