AWS-CloudFront-Public-S3-CloudFront-Origin

Severity : Critical

Description: This control ensures that S3 bucket set as origin for CloudFront does not grant access to everyone to read bucket object. When S3 is used as origin, contents should be kept private by the use of origin access identity. Origin access identity helps access verification and prevents direct access to file from bypassing the caching benefit of CloudFront. In case when S3 bucket is configured as website endpoint, using custom origin helps restrict access to the contents.

Remediation Steps:

Perform following to restrict access to content of S3 buckets for CloudFront :

  1. Login to the AWS Management Console at https://console.aws.amazon.com

Set up a Origin Access Identity and add it to distribution -

  1. Navigate to CloudFront service.

  2. Select the ID of reported distribution that has an S3 origin.

  3. Select Origins tab.

  4. Select the Amazon S3 origin, and choose Edit.

  5. For S3 bucket access, Select Yes use OAI.

  6. Select Create new OAI, to create a new OAI or select already created OAI from the list.

  7. Choose Yes, update the bucket policy. This will update the bucket policy to grant read permission to OAI. To review and update the bucket policy to remove existing permission requires Updating the bucket policy manually.

  8. Choose Save Changes.

Update S3 Bucket policy to remove old permissions -

  1. Navigate to S3 service.

  2. From the list of buckets, select the bucket which is set as the origin for above CloudFront distribution.

  3. Select Permission tab

  4. Under the Bucket Policy, confirm that the principal for the OAI is added.

  5. Review the bucket policy for statement “Affect” : “Allow” that grant permission to objects from sources which are not OAI. Modify/delete those statements from the bucket policy.

  6. Select Save Changes.

Important:

Reference:

Blue Hexagon Proprietary