AWS AmazonCloudFront high security documentation change
Summary
Updated S3 origin guidance to recommend Origin Access Control (OAC) instead of public bucket access
Security assessment
Explicitly recommends secure access control pattern to prevent public S3 exposure, addressing a common security risk
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/troubleshooting-distributions.md b/AmazonCloudFront/latest/DeveloperGuide/troubleshooting-distributions.md index 7d265f653..9ba820980 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/troubleshooting-distributions.md +++ b//AmazonCloudFront/latest/DeveloperGuide/troubleshooting-distributions.md @@ -169 +169 @@ To use Amazon CloudFront with an Amazon S3 origin, you must sign up for both Clo -If you are using CloudFront with an Amazon S3 origin, the original versions of your content are stored in an S3 bucket. The easiest way to use CloudFront with Amazon S3 is to make all of your objects publicly readable in Amazon S3. To do this, you must explicitly enable public read privileges for each object that you upload to Amazon S3. +If you're using CloudFront with an Amazon S3 origin, the original versions of your content are stored in an S3 bucket. To serve the content to your viewers, we recommend that you use CloudFront Origin Access Control (OAC) to secure Amazon S3 bucket access. This means your S3 bucket is reachable only through CloudFront. OAC controls viewer access and secure delivery via CloudFront. For more information about OAC, see [Restrict access to an Amazon Simple Storage Service origin](./private-content-restricting-access-to-s3.html). @@ -171 +171 @@ If you are using CloudFront with an Amazon S3 origin, the original versions of y -If your content is not publicly readable, you must create a CloudFront origin access control (OAC) so that CloudFront can access it. For more information about CloudFront origin access control, see [Restrict access to an Amazon Simple Storage Service origin](./private-content-restricting-access-to-s3.html). +For more information about managing your bucket access, see [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) in the _Amazon S3 User Guide_.