TL;DR - How do I block requests for https://s3-eu-west-1.amazonaws.com/BUCKET-NAME/FILE.EXT
while allowing requests coming via CloudFront?
I followed the AWS documentation "Restricting Access to Amazon S3 Content by Using an Origin Access Identity" and this appears to be tested and working almost perfectly (in my case with an Alternate Domain Name set), however when I try the URL...
https://s3-eu-west-1.amazonaws.com/BUCKET-NAME/index.html
...the index.html document is returned! What is worse, I can access any object in the bucket by following this convention. My understanding is that should not happen, and only CloudFront URLs should return objects.
Static website hosting for the S3 bucket is disabled. Visiting the S3 endpoint URL http://BUCKET-NAME.s3-website-eu-west-1.amazonaws.com/index.html
returns a 404 (with code "NoSuchWebsiteConfiguration"), which is the expected result. Can someone please explain why the other links work, instead of returning a 403 or 404 error?
When I set up the CloudFront distribution, for the option "Grant Read Permissions on Bucket" I selected "Yes, Update Bucket Policy", which produced this S3 bucket policy in use now:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": " Grant a CloudFront Origin Identity access to support private content",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
}
]
}
This would be the expected outcome if you set the objects to public when you uploaded them (or were subsequently set to public). If they are public, then they are public, so S3 allows them to be accessed.
Origin Access Identities don't actually "restrict access." They allow access to objects that are not public, via CloudFront.
This is mentioned in the docs page you cited.
This isn't well-phrased. Here's what it actually means.