Ref: https://learn.cantrill.io/courses/1820301/lectures/41301530 and https://learn.cantrill.io/courses/1820301/lectures/41301531

• Summary:
• Contents:

CF Content Delivery Path

• 3 zones
  1. Origins (where content is hosted)
  2. CF Network (NW + edge locations)
  3. Public internet & content consumers
• Two paths to secure
  1. Origin fetch path (Origin → CF)
     • Best practice: origin only be accessible via CF
       • 💡 By default, CF can be bypassed
  2. Viewer path (CF → viewer)
     • Best practice: protect sensitive data in a private behavior (requires signed URLs or cookies)
       • 💡 By default, behaviors are public

Securing S3 Origins

Origin Access Control (OAC) - NEW (Recommended)

• 🔧 Control setting that can be used in a CF distribution with S3 origin
• S3 bucket policy must be adjusted
  • Common pattern: implicitly deny everything, explicitly allow the CF principal, with the condition that the principal is using the specified OAC
• Screenshot

Origin Access Identities (OAIs) - Legacy

• 💡 Leaving this subsection for completeness sake, but AWS heavily recommends using OAC in production environments, not OAIs
• 🔧 OAI = type of identity that can be associated with CF distributions
  • ❗ NOT an IAM user or IAM role!
• OAIs can be indicated in an S3 bucket policy for access
  • Common pattern: implicitly deny everything, explicitly allow one or more OAIs
• When CF accesses S3 origin, CF “becomes” an associated OAI → CF distributions are thus allowed or denied access to S3 buckets
• Good practice to have one OAI per CF distribution (although sharing is possible)