๐ผ [CloudFront.13] CloudFront distributions should use origin access control
- Contextual name: ๐ผ [CloudFront.13] CloudFront distributions should use origin access control
- ID:
/frameworks/aws-fsbp-v1.0.0/cloudfront/13 - Located in: ๐ผ CloudFront
Descriptionโ
When using an S3 bucket as an origin for your CloudFront distribution, you can enable OAC. This permits access to the content in the bucket only through the specified CloudFront distribution, and prohibits access directly from the bucket or another distribution. Although CloudFront supports Origin Access Identity (OAI), OAC offers additional functionality, and distributions using OAI can migrate to OAC. While OAI provides a secure way to access S3 origins, it has limitations, such as lack of support for granular policy configurations and for HTTP/HTTPS requests that use the POST method in AWS Regions that require AWS Signature Version 4 (SigV4). OAI also doesn't support encryption with AWS Key Management Service. OAC is based on an AWS best practice of using IAM service principals to authenticate with S3 origins.
Similarโ
- AWS Security Hub
- Internal
- ID:
dec-c-6b63784f
- ID:
Sub Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|