Logo

dev-resources.site

for different kinds of informations.

Understanding OAI and OAC in AWS CloudFront: Concepts, Configuration, and Best Practices

Published at
11/29/2024
Categories
devoops
technology
trending
software
Author
anshul_kichara
Main Article
https://dev.to/anshul_kichara/understanding-oai-and-oac-in-aws-cloudfront-concepts-configuration-and-best-practices-10hd
Categories
4 categories in total
devoops
open
technology
open
trending
open
software
open
Author
14 person written this
anshul_kichara
open
Understanding OAI and OAC in AWS CloudFront: Concepts, Configuration, and Best Practices

Amazon CloudFront is a highly secure and scalable content delivery network (CDN) that improves the distribution of content to users with low latency and high transfer speeds. CloudFront offers two key features to enhance security when serving content from Amazon S3 buckets: Origin Access Identity (OAI) and Origin Access Control (OAC). In this blog, we’ll explore these features, their purpose, and how to configure them using Terraform. We’ll also discuss their advantages and disadvantages to help you decide which is suitable for your use case.

Target Audience

This blog is intended for cloud architects, DevOps engineers, and developers who are familiar with AWS and want to improve their understanding of secure content delivery using CloudFront and S3.

Key Concepts to Explain

What is OAI?
Origin Access Identity (OAI) is a special CloudFront user identity that ensures CloudFront can fetch objects securely from an S3 bucket without exposing them to the public.

What is OAC?
Origin Access Control (OAC) is an advanced feature providing fine-grained control over access permissions between CloudFront and S3. It builds on the benefits of OAI while offering additional flexibility and management improvements.

Terraform Configuration Examples

[ Good Read: Become a Data Engineer ]

Configuring OAI in Terraform

Here’s how you can configure an OAI to secure your S3 bucket:

1. Define the S3 Bucket
resource "aws_s3_bucket" "example" {

bucket = "example-bucket"

}

Here, we define an Amazon S3 bucket using Terraform. The bucket is named example-bucket. This will be the origin for our CloudFront distribution.

2. Create an OAI
resource "aws_cloudfront_origin_access_identity" "example" {

comment = "Access identity for CloudFront"

}

This block creates an Origin Access Identity (OAI) for CloudFront. The OAI acts as a virtual user that CloudFront uses to securely access the S3 bucket.

Why OAI? Without an OAI, your S3 bucket would need to allow public access for CloudFront to fetch objects. By using an OAI, you can block public access to your bucket while allowing CloudFront to serve content.

3. Attach a Bucket Policy to Allow OAI Access
resource "aws_s3_bucket_policy" "example" {

bucket = aws_s3_bucket.example.id

policy = jsonencode({

Version = "2012-10-17",

Statement = [

  {

    Effect    = "Allow",

    Principal = {

      AWS = aws_cloudfront_origin_access_identity.example.iam_arn

    }

    Action    = "s3:GetObject"

    Resource  = "${aws_s3_bucket.example.arn}/*"

  }

]
Enter fullscreen mode Exit fullscreen mode

})

}

This step is critical for securing the S3 bucket.

Bucket Policy: The policy grants the OAI permission to read objects (s3:GetObject) from the bucket.
Principal: Specifies the OAI as the entity allowed to access the bucket.
Resource: Applies the

You can check more info about: OAI and OAC in AWS CloudFront.

trending Article's
30 articles in total
Favicon
Data Privacy Challenges in Cloud Environments
Favicon
What Is SRE Support?
Favicon
Can Cloud Data Be Hacked
Favicon
How to Secure APIs in Microservices
Favicon
Dynamic Infrastructure Provisioning with Serverless DevOps
Favicon
What is Machine Learning? A Beginner's Guide to Understanding the Basics
Favicon
Securing Software Supply Chains with SLSA
Favicon
What is a Network Operations Center (NOC)
Favicon
Generative AI vs. Traditional AI: Key Differences and Use Cases
Favicon
How to Activate Virtual Environment in Python VS Code
Favicon
Ctrl+Shift+Epic : Deployment Strategies Unleashed
Favicon
Unlocking the Power of Database as a Service (DBaaS): A Comprehensive Overview
Favicon
Understanding OAI and OAC in AWS CloudFront: Concepts, Configuration, and Best Practices
Favicon
Modern Traffic Management with Gateway API in Kubernetes
Favicon
Implementing GitOps with ArgoCD
Favicon
Restoring a Backup Stored in S3 to an EC2 Instance Using XtraBackup
Favicon
AWS Firewall- Samurai Warriors
Favicon
Understanding COW and MOR in Apache Hudi: Choosing the Right Storage Strategy
Favicon
How to Create a Sitemap for a Website
Favicon
The Remaining Issues With Path Of Exile 2’s Early Access Endgame - Forbes
Favicon
How to Use Generative AI for Video Production?
Favicon
Transforming Legacy Systems: Common Pitfalls and Best Practices
Favicon
Introduction to cloud data engineering with AWS
Favicon
Using Apache Flink for Real-time Stream Processing in Data Engineering
Favicon
Setup Cross Cluster Replication for Data migration in Elasticsearch
Favicon
Database Migration Service in AWS
Favicon
Tangle Free Robot Vacuum Cleaner with 2.4GWiFi/App/Alexa Control, Automatic Vacuum Robot Cleaner for Low Carpet Pet Hair
Favicon
Blocking Web Traffic With WAF In AWS
Favicon
Addressing the Rise of Cloud Security Threats: Best Practices for 2024
Favicon
Addressing the Rise of Cloud Security Threats: Best Practices for 2024

Featured ones:

Favicon
Open
abubakersiddique761
Favicon
Open
0x3d_site
Favicon
Open
0x2e_tech
Favicon
Open
0x4c-quest
Favicon
Open
gittech