Posted On: Aug 25, 2022
Amazon CloudFront now offers Origin Access Control, a new feature that enables CloudFront customers to easily secure their S3 origins by permitting only designated CloudFront distributions to access their S3 buckets. Customers can now enable AWS Signature Version 4 (SigV4) on CloudFront requests to S3 buckets with the ability to set when and if CloudFront should sign requests. Additionally, customers can now use SSE-KMS when performing uploads and downloads through CloudFront.
Until now, customers were limited to using Origin Access Identity to restrict access to their S3 origins to CloudFront. Origin Access Control improves upon Origin Access Identity by strengthening security and deepening feature integrations. Origin Access Control provides stronger security posture with short term credentials, and more frequent credential rotations as compared to Origin Access Identity. With Origin Access Control, customers can create granular policy configurations through resource-based policies, which provides better protection against confused deputy attacks. Customers can use Origin Access Control to fetch and put data into S3 origins in regions that require SigV4. Also, Origin Access Control allows customer to use SSE-KMS with their S3 origins, which was not possible using Origin Access Identity.
CloudFront supports both the new Origin Access Control and legacy Origin Access Identity. If you have a distribution configured to use Origin Access Identity, you can easily migrate the distribution to Origin Access Control with few simple clicks. Any distributions using Origin Access Identity will continue to work and you can continue to use Origin Access Identity for new distributions. Refer to CloudFront origin access migration documentation for upcoming region restrictions.
CloudFront Origin Access Control is now available worldwide except for AWS China regions. You can start using Origin Access Control through the CloudFront console, APIs, SDK, or CLI. There is no additional fee to use Origin Access Control. To learn about how to configure Origin Access Control, refer to the CloudFront origin access control documentation. To get started with CloudFront, visit the CloudFront product page.