32. [활용] Restrict S3 access

 

## S3 접근 제한 방법

1) Cloudfront 에서 편집  
- OAI 생성 -> S3 버킷정책 업데이트  (Cloudfront URL -> S3 이미지 액세스 허용)

2) 적용 약 20분 소요

3) S3 버킷 Permission 에서 생성 정책 확인

4) 객체에서 Public Access 권한 삭제

 

 

 

So in this video let's take a look at how to restrict access to the S3 bucket.

Right.

And what we want to do is we want to stop anybody from accessing the image directly from S3.

Because we are using cloudfront and.

And there's no need for anybody to access S3 directly.

Right.

And right now the image that we have has public access.

It's a public image and and that's the reason anybody can access that image right now.

OK.

But we stop this we have to remove this.

This public access.

Right.

But as soon as we do that what will happen is cloud front itself will lose access cloud front will

not be able to read this image and therefore the user will not be able to fetch that image from cloudfront.

OK so so there what we need to do is we need to create what is called an origin access identity.

This is an identity of the distribution and in the S3 bucket policy.

In the S3 bucket policy we need to make sure that this or it has access to the images and the way we

do this actually as we configure the cloudfront distribution.

Right.

The and we say that restrict access to the S3 bucket and only allow cloud front to access the S3 bucket.

Right.

And then cloudfront can make this edit to the bucket policy and in such a way that this OAI.

In other words the cloudfront distribution will have access to the images in S3.

Once we do this we can try we can verify this right what what you can do is try the URL of the image

right.

And and you should not be able to see the image directly.

Right.

And then you can try the cloudfront URL as well.

You can try the cloudfront distribution URL.

And that should work that should work because the OAI has been allowed in the S3 bucket policy.

OK.

All right so let's see how to do this.

So what you need to do is go to the cloud front distribution.

But go to the cloudfront distribution and in the origin settings right the origin is the S3 bucket.

So go to the origin settings and there right now we have no for this field - restrict bucket access so there's

no restriction on the bucket.

We say yes to that ok let's say yes to that.

And what you need to do is you need to say create a new origin access identity.

we will say create a new origin access identity this identity is the identity of the cloud front distribution.

Right.

So we will create a new one new identity and then also say yes to this where Cloud front will update

the S3 buckets policy right bucket policy.

Right.

It will update automatically if you don't have to do it and it will basically update it in such a way

that this identity this identity that we're creating will have access to the S-3 content and it'll have

access to be S3.

content right.

So so so that's it you have to say yes to this.

This is number one.

Next create a new identity.

Number two and number three say yes to update bucket policy right to make these three changes.

Right.

And then say yes and then say yes.

All right.

OK.

Now this change this change will take some time.

So if you look at your cloudfront distribution you can see the status of the distribution over here

is in progress because we made a configuration change and configuration changes will take some time to

propagate to all the Edge locations.

don't expect this to work immediately but maybe in 20 minutes something like that the change will

take effect.

Right.

But in the meantime let's go to let's go to the S3 console.

And this is our bucket.

And this is our image right.

And if you look at the permissions of the S3 bucket and more specifically the bucket policy you will see

that there is a bucket policy now.

It would have been empty earlier.

And here there's an entry created by cloudfront.

When we made this change right when we made this change and hit save right cloud front made this change

to the bucket policy and what it has done is it has essentially added a policy saying that this origin

access identity which is basically referring to the cloudfront distribution that we have.

Right.

Has get object access which means it can read the images in this bucket.

Right.

And what can it read?

All the images all the content in this particular bucket.

So basically the cloudfront distribution can read all the contents of this particular bucket but only

read it can't do anything else.

But it can read all the content.

OK.

So this bucket policy which is an S3 bucket policy has been created by the cloudfront distribution.

All right.

OK.

So so now you can see right.

You can now see what we've just done is we have created an origin access identity.

Right.

And then we save this configuration in cloud front the S3 bucket policy is created automatically.

Right.

And that allows only the origin access identity access to the bucket.

OK let's So these two things we have we have done now also remember that the image that we have.

So the image that we have this one here right Has public is a public image it's public image took a look

at this image.

And if you look at the permissions of this image you can see that everyone right everyone has has read

about read object access.

Right.

And that's how we're able to view the image.

That's how our application is also includes the URL of the image and all the users can see this image

via our application as well.

Right.

So we want to stop this we have to remove this because now we just want cloud front to be able to

fetch images from this S3 bucket right.

So this we need to remove and the way we can do that is just click on this right and remove read object.

remove read object.

OK.

And then you press save.

This will now.

Now this image is no longer public.

It's no longer public so.

So once again what we have done so just now we have done this.

We removed the public access on the particular image.

Right.

And this by the way is object level permissions.

Object level permissions right and the bucket policy is bucket permissions.

All right.

OK.

So in summary what we've done is we have we have removed public access to the image.

Right.

So nobody can access the image directly using its.

URL from S3.

Right.

But that would mean even cloudfront would not be able to access the image.

So then what we've done is we have a bucket policy now a new policy and this allows the Origin access

identity of the distribution to access the contents of the bucket.

Right so.

So this has been done and this has been done right.

And in terms of how we did it we essentially updated the configuration in the in the origin settings of

the distribution right and there we created the origin access identity.

And when we pressed save there the bucket policy was created automatically.

Right.

And then separately we have to go and and remove the public access on the image.

OK.

So what you can do now.

Right.

I'm not going to show this to you but you can try this yourself.

Is that try the URL of the image the S3 URL of the image right which is which is basically

this one here.

This is the you are in this one right you can try this and this time it should not work right.

So.

So not show image will not show.

All right.

And then you can try the cloudfront.

URL of the image right which is basically the cloudfront DNS name.

And then the name of the image of this one should show.

Right.

It should.

show.

Because cloudfront has access to the images in the bucket.

Right.

So it should be able to show the image even though you can't access the image directly from S3.

Right.

And just remember Wait you have to wait for the cloudfront distribution configuration changes to take

effect.

Right.

So wait for CF configuration to change.

Right.

And this can take maybe 20 minutes something like that.

So just wait for this and and then try verifying these configuration changes.

OK.

All right.

I hope that this is clear.

And good luck.

Good luck with this.

task.