Securing Origins in CloudFront

Origin Access Control in CloudFront refers to the mechanism by which users can control access to the origin servers from which CloudFront retrieves content. It allows users to specify rules and restrictions on which clients or resources can access the origin servers. This helps enhance security by ensuring only authorized entities can interact with the origin servers, thereby protecting sensitive data and resources.

Origins and origin groups

Origins represent the locations from which CloudFront retrieves content. When an edge location receives a request for an object not cached locally, it initiates an origin fetch from the relevant origin. Origin Groups provide resiliency by allowing configurations with multiple origins. These origins can include S3 buckets, AWS Media Package or Media Store endpoints, and web servers.

Security measures and access restrictions

CloudFront offers several security measures to control access to content:

  • Signed URLs or cookies can restrict viewer access, ensuring only authorized users can access distributions. Private distributions, trusted user groups, and signed URLs or cookies provide granular control over access permissions.

  • We can require users to use HTTPS to make the connection encrypted.

  • We can restrict users’ access to the content in the AWS origin through CloudFront distribution.

  • We can prevent users from specific geographical locations from having access to the CloudFront distribution.

Get hands-on with 1400+ tech skills courses.