AWS AmazonCloudFront medium security documentation change
Summary
Updated terminology and documentation to clarify that CloudFront distributions (with OAC) require permissions instead of OAC entities directly. Revised examples and instructions to emphasize proper IAM policies for S3 buckets and KMS keys.
Security assessment
The changes correct ambiguous permissions guidance by explicitly tying S3/KMS access to CloudFront distributions (via OAC) rather than OAC itself. This prevents misconfigurations where permissions might be incorrectly scoped, reducing the risk of unauthorized access. The KMS key policy example update ensures encryption key access aligns with least-privilege principles.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md index ff450893b..5e23d515b 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md +++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md @@ -52 +52 @@ Complete the steps described in the following topics to set up a new origin acce - * Give the origin access control permission to access the S3 bucket + * Grant CloudFront permission to access the S3 bucket @@ -78 +78 @@ For example, if you choose **Do not override authorization header** and want to -### Give the origin access control permission to access the S3 bucket +### Grant CloudFront permission to access the S3 bucket @@ -80 +80 @@ For example, if you choose **Do not override authorization header** and want to -Before you create an origin access control (OAC) or set it up in a CloudFront distribution, make sure the OAC has permission to access the S3 bucket origin. Do this after creating a CloudFront distribution, but before adding the OAC to the S3 origin in the distribution configuration. +Before you create an origin access control (OAC) or set it up in a CloudFront distribution, make sure that CloudFront has permission to access the S3 bucket origin. Do this after creating a CloudFront distribution, but before adding the OAC to the S3 origin in the distribution configuration. @@ -82 +82 @@ Before you create an origin access control (OAC) or set it up in a CloudFront di -To give the OAC permission to access the S3 bucket, use an S3 [bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) to allow the CloudFront service principal (`cloudfront.amazonaws.com`) to access the bucket. Use a `Condition` element in the policy to allow CloudFront to access the bucket only when the request is on behalf of the CloudFront distribution that contains the S3 origin. +Use an S3 [bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) to allow the CloudFront service principal (`cloudfront.amazonaws.com`) to access the bucket. Use a `Condition` element in the policy to allow CloudFront to access the bucket only when the request is on behalf of the CloudFront distribution that contains the S3 origin. This is the distribution with the S3 origin that you want to add OAC to. @@ -86 +86 @@ For information about adding or modifying a bucket policy, see [Adding a bucket -The following are examples of S3 bucket policies that allow a CloudFront OAC to access an S3 origin. +The following are examples of S3 bucket policies that allow a CloudFront distribution with OAC enabled access to an S3 origin. @@ -88 +88 @@ The following are examples of S3 bucket policies that allow a CloudFront OAC to -###### Example S3 bucket policy that allows read-only access to a CloudFront OAC +###### Example S3 bucket policy that allows read-only access for a CloudFront distribution with OAC enabled @@ -109 +109 @@ The following are examples of S3 bucket policies that allow a CloudFront OAC to -###### Example S3 bucket policy that allows read and write access to a CloudFront OAC +###### Example S3 bucket policy that allows read and write access for a CloudFront distribution with OAC enabled @@ -135 +135 @@ The following are examples of S3 bucket policies that allow a CloudFront OAC to -If the objects in the S3 bucket origin are encrypted using [server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html), you must make sure that the OAC has permission to use the AWS KMS key. To give the OAC permission to use the KMS key, add a statement to the [KMS key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). For information about how to modify a key policy, see [Changing a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the _AWS Key Management Service Developer Guide_. +If the objects in the S3 bucket origin are encrypted using [server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html), you must make sure that the CloudFront distribution has permission to use the AWS KMS key. To give the CloudFront distribution permission to use the KMS key, add a statement to the [KMS key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). For information about how to modify a key policy, see [Changing a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the _AWS Key Management Service Developer Guide_. @@ -137 +137 @@ If the objects in the S3 bucket origin are encrypted using [server-side encrypti -The following example shows a KMS key policy statement that allows the OAC to use the KMS key. +###### Example KMS key policy statement @@ -139 +139 @@ The following example shows a KMS key policy statement that allows the OAC to us -###### Example KMS key policy statement that allows a CloudFront OAC to access a KMS key for SSE-KMS +The following example shows a AWS KMS policy statement that allows the CloudFront distribution with OAC to access a KMS key for SSE-KMS. @@ -300 +300 @@ If you need to delete a distribution with an OAC attached to an S3 bucket, you s -To migrate from a legacy origin access identity (OAI) to an origin access control (OAC), first update the S3 bucket origin to allow both the OAI and OAC to access the bucket's content. This makes sure that CloudFront never loses access to the bucket during the transition. To allow both OAI and OAC to access an S3 bucket, update the [bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) to include two statements, one for each kind of principal. +To migrate from a legacy origin access identity (OAI) to an origin access control (OAC), first update the S3 bucket origin to allow both the OAI and the distribution with OAC enabled to access the bucket's content. This makes sure that CloudFront never loses access to the bucket during the transition. To allow both OAI and the distribution with OAC enabled to access an S3 bucket, update the [bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) to include two statements, one for each kind of principal. @@ -302 +302 @@ To migrate from a legacy origin access identity (OAI) to an origin access contro -The following example S3 bucket policy allows both an OAI and an OAC to access an S3 origin. +The following example S3 bucket policy allows both an OAI and a distribution with OAC enabled to access an S3 origin. @@ -304 +304 @@ The following example S3 bucket policy allows both an OAI and an OAC to access a -###### Example S3 bucket policy that allows read-only access to an OAI and an OAC +###### Example S3 bucket policy that allows read-only access for an OAI and a CloudFront distribution with OAC enabled @@ -338 +338 @@ After you update the S3 origin's bucket policy to allow access to both OAI and O -After the distribution is fully deployed, you can remove the statement in the bucket policy that allows access to the OAI. For more information, see Give the origin access control permission to access the S3 bucket. +After the distribution is fully deployed, you can remove the statement in the bucket policy that allows access to the OAI. For more information, see Grant CloudFront permission to access the S3 bucket.