AWS CloudFront: How to Secure Your S3, ALB, and EC2 Origins

Learn how to make your origins accessible only via CloudFront, make them more secure.

·

6 min read

AWS CloudFront: How to Secure Your S3, ALB, and EC2 Origins

Securing your origins in AWS CloudFront is essential to protect your resources from unauthorized access and ensure efficient content delivery. This blog will guide you through the steps to restrict traffic to different origins (S3, ALB, and EC2) and make them accessible only via CloudFront.

Table of Contents

  1. Introduction

  2. What is OAC and AWS Managed Prefix List

  3. Securing S3 Origins

  4. Securing ALB Origins

    • Custom Header-Based Authentication

    • Using AWS Managed Prefix Lists

  5. Securing EC2 Origins

  6. Best Practices and Recommendations

  7. Summary

Introduction

AWS CloudFront is a content delivery network (CDN) that allows you to distribute content with low latency and high transfer speeds. To ensure the security of your content, it's crucial to restrict access to your origins (S3, ALB, and EC2) so that they can only be accessed via CloudFront. This blog will detail the methods to secure each type of origin.

What is OAC and AWS Managed Prefix List

Origin Access Control (OAC)

Origin Access Control (OAC) is a feature introduced by AWS CloudFront that allows you to restrict access to your Amazon S3 buckets so that they can only be accessed through CloudFront. This enhances the security of your content by preventing direct access to the S3 bucket. OAC replaces the older Origin Access Identity (OAI) with a more flexible and powerful approach.

For more details, you can refer to the official AWS blog on OAC.

AWS Managed Prefix List

AWS Managed Prefix List for Amazon CloudFront is a feature that allows you to create a list of IP ranges used by CloudFront. This list can then be used to configure security groups and network ACLs to ensure that only traffic from CloudFront can reach your origins (ALB and EC2). By using the managed prefix list, you simplify the process of managing IP ranges and enhance security.

For more details, you can refer to the official AWS blog on AWS Managed Prefix Lists.

Securing S3 Origins

Amazon S3 (Simple Storage Service) is commonly used as an origin for CloudFront distributions. To restrict access to your S3 bucket so that it can only be accessed through CloudFront, we will use Origin Access Control (OAC).

Steps to Secure S3 Using OAC

  1. Create an S3 Bucket:

    • Go to the S3 console and create a new bucket or use an existing one.

    • Ensure that your bucket and objects are not publicly accessible.

  2. Set Up Origin Access Control (OAC):

    • In the CloudFront console, navigate to your distribution and choose the "Origins and Origin Groups" tab.

    • Select your S3 origin and choose "Edit".

    • In the "Restrict Bucket Access" section, select "Yes".

    • Create a new OAC or use an existing one. Ensure that the OAC is associated with your CloudFront distribution.

  3. Update S3 Bucket Policy:

    • Go to your S3 bucket permissions and update the bucket policy to allow access from CloudFront.

    • The policy should look something like this:

        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/Input_CloudFront_Origin_Access_Identity_OAC_ID"
              },
              "Action": "s3:GetObject",
              "Resource": "arn:aws:s3:::your-bucket-name/*"
            }
          ]
        }
      

By following these steps, you ensure that your S3 bucket can only be accessed through your CloudFront distribution.

Securing ALB Origins

Application Load Balancers (ALB) can also be used as origins for CloudFront. To restrict access to your ALB, we will use two methods: custom header-based authentication and AWS Managed Prefix Lists.

Method 1: Custom Header-Based Authentication

  1. Configure Custom Headers in CloudFront:

    • In the CloudFront console, navigate to your distribution and select the "Origins and Origin Groups" tab.

    • Edit your ALB origin and add a custom header, e.g., X-CloudFront-Secret: YourSecretValue.

  2. Set Up ALB Listener Rules:

    • Go to the EC2 console and select your ALB.

    • Navigate to the "Listeners" tab and select "View/edit rules".

    • Add a rule to check for the custom header X-CloudFront-Secret with the value YourSecretValue. If the header matches, forward the request to your target group; otherwise, return a 403 Forbidden response.

  3. Use HTTPS for Origin Requests:

    • To improve the security of this solution, configure your CloudFront distribution to always use HTTPS when sending requests to your Application Load Balancer.

    • This solution only works if you keep the custom header name and value secret. Using HTTPS can help prevent an eavesdropper from discovering the header name and value.

    • Rotate the header name and value periodically to enhance security.

Method 2: AWS Managed Prefix Lists

  1. Create a Managed Prefix List:

    • In the VPC console, create a new managed prefix list and add the IP ranges used by CloudFront.
  2. Update ALB Security Group:

    • Go to the EC2 console and select your ALB.

    • Navigate to the "Security Groups" section and edit the inbound rules.

    • Add a rule to allow traffic only from the IP ranges in your managed prefix list.

Note:

The managed prefix list for CloudFront counts as 55 routes in a route table. The default quota is 50 routes, so you must request a quota increase before you can add the prefix list to a route table.

By implementing these methods, you ensure that only CloudFront can access your ALB, adding an extra layer of security.

Securing EC2 Origins

While it's recommended to use an ALB as an origin for better management and security, you can also use EC2 instances directly as origins. To restrict access to your EC2 instances, we will use AWS Managed Prefix Lists.

Steps to Secure EC2 Using Managed Prefix Lists

  1. Create a Managed Prefix List:

    • In the VPC console, create a new managed prefix list and add the IP ranges used by CloudFront.
  2. Update EC2 Security Group:

    • Go to the EC2 console and select your instance.

    • Navigate to the "Security Groups" section and edit the inbound rules.

    • Add a rule to allow traffic only from the IP ranges in your managed prefix list.

Note:

For better scalability and security, it's recommended to use an ALB as an origin and connect your EC2 instances to the ALB. This setup simplifies management and enhances security by leveraging the features of ALB.

Best Practices and Recommendations

  • Use CloudFront Origin Access Control (OAC): For S3 buckets, always use OAC to restrict access.

  • Implement Custom Header Authentication: For ALBs, use custom headers to ensure only CloudFront can access your ALB.

  • Leverage Managed Prefix Lists: Use AWS Managed Prefix Lists to restrict access based on CloudFront's IP ranges. Be mindful of the route table limit and request a quota increase if necessary.

  • Prefer ALB over Direct EC2 Access: Use an ALB as an origin and connect your EC2 instances to the ALB for better security and management.

Summary

Securing your AWS CloudFront origins is crucial to protect your resources and ensure secure content delivery. By following the steps outlined in this blog, you can effectively restrict access to your S3, ALB, and EC2 origins and make them accessible only via CloudFront. Implementing these security measures will help safeguard your content and improve the overall security posture of your AWS infrastructure.

By using OAC for S3, custom header-based authentication and managed prefix lists for ALB, and managed prefix lists for EC2, you can ensure that your origins are secure and only accessible through CloudFront. For best practices, consider using an ALB as an origin instead of direct EC2 access to enhance security and simplify management.