In this guide, we will dive into the detailed process of securely hosting a website on Amazon S3 while restricting direct internet access to the S3 bucket.
Our primary focus will be on CloudFront to ensure that the website content is accessible only through CloudFront, therefore supporting security and mitigating potential risks associated with direct access to the bucket. This is very important when you want to follow the ISO27001 process.
You can do it in two ways considering a new S3 bucket or an existing S3 bucket.
Important Configurations are:
- Ensure that public access settings for the S3 bucket are disabled to prevent unauthorized access.
- Disable static website hosting to restrict direct access to the bucket’s contents.
Creating an S3 Bucket
- Navigate to the Amazon S3 dashboard in the AWS Management Console.
- Initiate the bucket creation process by clicking on the “Create bucket” button.
- Assign a unique name to your bucket with default settings.
- When you create S3 bucket with defaults settings only with given name, it will create a bucket with public access and static web hosting is disabled by default.
Configuring Existing S3 Bucket (If Applicable)
Verify that any existing S3 buckets are being changed to have public access disabled.
If you have your permissions like:
Please edit and change it like this:
Backup or remove existing bucket policies that may interfere with the setup.
If you have existing policies like this:
Please delete the existing policies.
If you have enabled static web hosting for the bucket. You will see below configuration.
Please edit and disable it.
Now you are done with relevant cleanups in the existing S3 bucket. You can verify by accessing one of your bucket files via URL and you will see access denied.
Let’s create a CloudFront distribution.
Proceed to the CloudFront dashboard in the AWS Management Console. Initiate the creation of a new distribution by clicking on “Create Distribution.”
Configure distribution settings, including origin settings and behaviors.
Restricting Access with Origin Access Control:
- Enable Origin Access Control (OAC) to limit access to the S3 bucket exclusively through CloudFront.
- Once you create new OAC, you will see a warning that you need to update the bucket policy.
- Implement redirection from HTTP to HTTPS for enhanced security.
- Consider enabling AWS Web Application Firewall (WAF) to fortify defenses against common web exploits.
Ensure the default root object is set as index.html to prevent access denial from CloudFront.
Once you click on “Create distribution”, You will see a option to copy the policy.
Updating S3 Bucket Policy
Following the CloudFront distribution setup, you’ll receive instructions on updating the S3 bucket policy. You can copy the policy as below.
Modify the bucket policy to permit access solely from CloudFront, enhancing security measures.
By following these steps, you have successfully established a robust security framework for hosting your website on Amazon S3 while strictly limiting access solely to CloudFront. This setup not only ensures reliable website delivery but also provides defenses against potential security threats associated with direct internet access to the S3 bucket.