Protecting CloudFront distributions with Amazon S3 bucket origins

Amazon CloudFront is a global content delivery network that securely delivers resources, and content to viewers across the globe in milliseconds. Using CloudFront, users can access various types of origin services to suit their use cases.

Amazon S3 is most commonly adopted as the origin to host content like static websites and videos. S3, in most architecture designs, uses CloudFront to deliver the content to viewers. When using this architecture, customers can leverage CloudFront’s origin access identity (OAI) to secure S3 origin access to CloudFront only.

In this article, you will learn how to:

• Create an S3 bucket and set it up for static website hosting

• Set up a CloudFront distribution and link it with a custom domain

• Amazon CloudFront Origin Access Control (OAC).

• Setup a AWS WAF

Set up an S3 bucket

Create amazon S3 bucket

If you want to learn how to Create S3 buckets then visit this URL :

https://utkarsh80.hashnode.dev/how-to-host-a-static-website-using-amazon-s3

Download web files here :https://github.com/gutkarsh08/AWS-S3-Static-Website-With-CloudFront

Upload the web files :

Set up a CloudFront distribution

Amazon CloudFront is AWS’s CDN service, optimizing the delivery of your site’s content to users. Through its globally distributed data centers (edge locations), CloudFront ensures your static website’s content reaches users more efficiently.

Create a distribution

For the Origin Domain Name, You can already see your S3 bucket name. If not then,

you will need to go back to your S3 management console (Services -> S3), but leave the CloudFront setup page open. Once in the S3 management console, click on your bucket name, then click on Properties and scroll down to Static website hosting. Copy over the highlighted part of the Endpoint URL.

And also, need to create a origin access control (OAC)

Amazon CloudFront Origin Access Control (OAC).

What is origin access control (OAC)

With OAC you can:

• Restricts access to the Amazon S3 bucket so that it's not publicly accessible.

• Reduce the cost of data transfers out because serving data directly from S3 costs more than serving them through CloudFront distribution.

• Ensure that users can access the content in the S3 bucket only through the specified CloudFront distribution. OAC prevents users from viewing your S3 files by simply using the direct URL.

Copy the policy

Go to S3 bucket permissions to update policy

Next, is to validate the application. Click on the distribution, then copy the distribution domain name and paste it on a new browser tab.

Now, we getting the below error:

In distribution tab, Click "Edit" the settings

Add the index.html in default root object and save the changes.

The application is now working through only CloudFront.

Set up a AWS WAF

AWS Web Application Firewall (AWS WAF) can be applied to the resources

Amazon CloudFront Distributions: AWS WAF can protect web applications and APIs that are served by Amazon CloudFront, AWS’s global Content Delivery Network (CDN). By integrating with CloudFront, AWS WAF provides protection at the edge locations, reducing the latency for users.

Create AWS WAF

Resources type is "Amazon CloudFront distributions" for the web ACL.

In Associated AWS resources, click Add AWS resources.

Add Rules to Web ACL and Create a IP sets

If you want to learn how to Add Rules to Web ACL and Create a IP sets then visit this URL : https://utkarsh80.hashnode.dev/how-do-we-configure-aws-waf-to-block-or-allow-web-requests

Now, Go to the CloudFront distributions Enabled the AWS WAF

Now Its Time to test your AWS WAF. Copy the distribution domain name and paste it on a new browser tab.

If action want to block my IP address, resource responds to requests, with an HTTP 403 status code (Forbidden),

If action want to Allow my IP address, resource responds to requests showing this url

Thank you for taking the time to read…….