When you first set up the Amazon S3 bucket as a source CloudFront distribution will give everyone permission to read your buckets files. In this way, anyone can CloudFront or by using Amazon S3 URL to access your files. CloudFront will not disclose Amazon S3 URL, but if the application of any document directly from Amazon S3, or someone leaked direct links to specific files in Amazon S3, users may have these URL.
If you are using CloudFront signature Cookie URL or signature to restrict access to the Amazon S3 bucket file, you may also want to prevent users from using URL access Amazon S3 Amazon S3 file. If the user direct access to files in Amazon S3, they will bypass the signature Cookie URL or signature control provided by CloudFront.
To ensure that your users only use CloudFront URL to access your files, regardless of whether this URL signature, do the following:
-
Create a source access identity OAI (a special CloudFront users), and access to the identity of the source associated with the distribution. You need access to the identity of the source associated with the source up so that you can protect all your Amazon S3 content protection or only part of it. You can also create a source access identity when creating distribution and add it to your assignment. For more information, see Creating CloudFront origin access identity and add it to your assignment .
-
Change permissions to your Amazon S3 bucket or the bucket in a file , so that only the source who has read access permissions (or read and download permissions). When a user accesses files Amazon S3 CloudFront, CloudFront access to the identity of the source on behalf of users to access files. If the user requests a file directly by using Amazon S3 URL, they will be denied access. Source file access identities have access to Amazon S3 bucket, but the user can not. For more information, please refer to grant permission to read the identity of the source access Amazon S3 bucket file .