Amazon's security recommendations have significantly evolved since 2017. While the original bucket policy approach technically works, modern security best practices demand more sophisticated access control. The warning message you encountered reflects AWS's current hardline stance against public S3 access, even for read-only scenarios.
Instead of making your bucket public, use CloudFront's Origin Access Identity (OAI) feature. This creates a special CloudFront user that exclusively accesses your S3 bucket. Here's the complete implementation:
// Create CloudFront distribution with OAI
{
"CallerReference": "my-oai-identifier",
"Comment": "OAI for secure S3 access"
}
// S3 Bucket Policy for OAI
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudFrontAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EABCDEFGHIJKLMN"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
For production environments, consider these enhancements:
// Restrict by Referrer (Additional Layer)
"Condition": {
"StringLike": {
"aws:Referer": "your-secret-key"
}
}
// IP Restriction Example
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
}
When implementing OAI, watch for these gotchas:
- Bucket policy syntax errors (always validate with IAM Policy Simulator)
- CORS configuration conflicts
- Cache behavior settings affecting access
- Region-specific endpoint requirements
Implement these AWS services to maintain security:
- S3 Access Logs to track all requests
- CloudTrail for API call monitoring
- GuardDuty for anomaly detection
- Regular policy reviews with AWS Access Analyzer
For years, AWS practitioners have followed the pattern of making S3 buckets publicly readable when using CloudFront as a CDN. While this works, the security implications have become increasingly concerning. AWS now explicitly warns against any form of public bucket access, creating a puzzle for developers hosting static websites.
The standard bucket policy that grants s3:GetObject to everyone (Principal: "*") creates several vulnerabilities:
- Potential data leaks if bucket permissions are misconfigured
- Exposure to DDoS attacks through direct S3 access
- Violation of security best practices in regulated industries
Here's how to configure CloudFront to access private S3 content securely:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity YOUR_OAI_ID"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
- Create Origin Access Identity (OAI): In CloudFront distribution settings, create a new OAI or use existing one
- Update S3 Bucket Policy: Replace the public read policy with the restricted version shown above
- Configure CloudFront Behavior: Ensure your distribution's origin settings reference the OAI
For mission-critical applications, consider these additional measures:
// Example S3 policy with IP restriction + OAI
{
"Condition": {
"IpAddress": {"aws:SourceIp": ["192.0.2.0/24"]},
"ArnEquals": {
"aws:SourceArn": "arn:aws:cloudfront::account-id:distribution/distribution-id"
}
}
}
- Test all website URLs after OAI implementation
- Monitor CloudFront logs for 403 errors
- Update CI/CD pipelines to use proper credentials for deployments
- Consider implementing S3 Access Points for multi-account scenarios
If you encounter access problems:
- Verify the OAI is properly associated with your CloudFront distribution
- Check for typos in the bucket policy ARNs
- Ensure no competing policies are denying access
- Use S3 Access Analyzer to validate permissions