Is it possible to restrict an Amazon S3 website endpoint to CloudFront only? I see this is possible for S3 rest endpoints but was wondering if there were any new workarounds to do this for S3 website endpoints.
Asked
Active
Viewed 250 times
1 Answers
0
For website endpoint you can use bucket policy to allow only CloudFront IP address, not restrictive as OAI but still a way. http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
For S3 as an origin, CLOUDFRONT_REGIONAL_EDGE_IP_LIST IP address are not used unless you're using lambda@edge or AWS has enabled it intentionally so you can allow only CLOUDFRONT_GLOBAL_IP_LIST.
James Dean
- 4,033
- 1
- 9
- 18
-
Thanks James, so for the website endpoint I will need to hardcode those IPs into the bucket policy? Do they change often? – Swordfish Apr 16 '19 at 23:13
-
They don't change that often but AWS keeps adding new IP range all the time, they have s document which automatically updates the security group , similarly you can write a lambda code to update the Bucket policy as well, https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/, sadly AWS doesn't provide webhook for it so the lambda needs to run periodically and it cost some money. – James Dean Apr 17 '19 at 04:16
-
@JamesDean actually AWS do provide an SNS topic, which you can subscribe to (Lambda), see here: https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/ – maslick Oct 24 '21 at 15:00