<ul>
<li>outline</li>
</ul>
<blockquote>
Access control and security enhancement for CloudFront, OAC is next generation of OAI.
</blockquote>
<ul>
<li>Origin Access : Create control setting</li>
</ul>
<pre><code class="lang-plaintext">Signing behavior
Sign requests (recommended)
Create

Bucket Policy -&gt; Copy policy
</code></pre>
<ul>
<li>S3 bucket policy</li>
</ul>
<pre><code class="lang-plaintext">{
 "Version": "2008-10-17",
 "Id": "PolicyForCloudFrontPrivateContent",
 "Statement": [
 {
 "Sid": "AllowCloudFrontServicePrincipal",
 "Effect": "Allow",
 "Principal": {
 "Service": "cloudfront.amazonaws.com"
 },
 "Action": "s3:GetObject",
 "Resource": "arn:aws:s3:::test/*",
 "Condition": {
 "StringEquals": {
 "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/ABCD123ASDB"
 }
 }
 }
 ]
}
</code></pre>
<ul>
<li>reference</li>
</ul>
<blockquote>
<a target="_blank" href="https://aws.amazon.com/ko/blogs/korea/amazon-cloudfront-introduces-origin-access-control-oac/%EF%BF%BChttps://aws.amazon.com/ko/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/">https://aws.amazon.com/ko/blogs/korea/amazon-cloudfront-introduces-origin-access-control-oac/ <a href="https://aws.amazon.com/ko/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/" class="autolinkedURL autolinkedURL-url" target="_blank">aws.amazon.com/ko/blogs/networking-and-cont..</a></a>
</blockquote>

* outline
    

> Access control and security enhancement for CloudFront, OAC is next generation of OAI.

* Origin Access : Create control setting
    

```plaintext
Signing behavior
Sign requests (recommended)
Create

Bucket Policy -> Copy policy
```

* S3 bucket policy
    

```plaintext
{
        "Version": "2008-10-17",
        "Id": "PolicyForCloudFrontPrivateContent",
        "Statement": [
            {
                "Sid": "AllowCloudFrontServicePrincipal",
                "Effect": "Allow",
                "Principal": {
                    "Service": "cloudfront.amazonaws.com"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::test/*",
                "Condition": {
                    "StringEquals": {
                      "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/ABCD123ASDB"
                    }
                }
            }
        ]
}
```

* reference
    

> [https://aws.amazon.com/ko/blogs/korea/amazon-cloudfront-introduces-origin-access-control-oac/  
> https://aws.amazon.com/ko/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/](https://aws.amazon.com/ko/blogs/korea/amazon-cloudfront-introduces-origin-access-control-oac/%EF%BF%BChttps://aws.amazon.com/ko/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/)

CloudFront Origin Access Control

AWS/Security

Jesus, Love, Family, Happy Life, Linux, Cloud, SRE, DevOps Engineer, FinOps, System Engineer, Problem Solver
