AWS CloudFront is a content distribution service offered by AWS to speed up the distribution of static content, such as media files, html, js, css, etc. The user needs to create a distribution of their bucket or of the AWS service.

When CloudFront serves the objects from AWS S3, it is required to provide public access of that object so that the others can access it. When the object permission is set as mentioned above, the end user can also access the object directly from AWS S3 using the URL: http://<bucketname>.s3.amazonawsaws.com/<objectname>

The user can secure access of their CloudFront distribution using signed URLs. If the user wants to setup a signed URL it is also required that the access of the S3 bucket for the general public is restricted. To restrict access to the AWS S3 bucket, the user can configure an origin access identity.

The origin access identity is a special CloudFront user. The user can allow access to only this CloudFront user using the S3 bucket access and policy. If the origin access identity has been configured and some other user tries to access the AWS S3 object directly, access will be denied as it is accessible to only the origin access identity.

The present guide demonstrates how to create an origin access identity for CloudFront streaming or the download distribution.

1. Go to the AWS CloudFront console. The console lists all the existing streaming as well as the download distributions. Create a new download distribution or create a new streaming distribution. Go to the CloudFront configuration settings by clicking on the [i] button.

2.  If the user has selected the streaming distribution in step#1, then click on “Edit” from the streaming properties page.

3. If the user has selected the download distribution in step#1, then select the “Origins” tab in the CloudFront distribution settings.

4. It will load the origins details. Select the domain name and click on “Edit”.

5. In the edit page, check the value of “Restrict Access Bucket”.  Select “Yes” to create the origin access identity user.

6. Provide the following details for the identity:

a. Origin Access Identity: This allows for  creating a new CloudFront user or selecting the existing user.

b. Comment: This provides comments to identify the origin access identity in future.

c. Grant Read Permission: It is required that the user removes all the general access rights for the bucket and allows only the origin access identity to access the bucket. CloudFront can generate a policy and add it directly to the bucket (if Yes, Update Policy option is selected) or the user needs to create a policy for the bucket and assign. It is important to note that CloudFront does not remove the existing access rights, but only adds the access rights for the new CloudFront user.

7. Once the changes have been made, the distribution will be updated. It will take around 10-15 minutes to complete the process. Once the process has been completed, the access policy of the S3 bucket will be updated, as shown below.

8. If the user performs the above mentioned steps for the download distribution and has more than one origin, steps#3-6 are required to be repeated for each origin.

Keywords: Amazon Web Services, AWS, Amazon AWS Console, AWS S3, Amazon CloudFront, AWS CloudFront, CloudFront, AWS EC2, AWS S3, Amazon S3, Download Distribution, AWS IAM, CloudFront Key Pairs, Trusted Signers, CDN, Content Distribution Network, Origin Access Identity