Security & Origin Access Control (OAC)

Why your S3 bucket must stay private and how OAC + CloudFront protects your static site

Without OAC vs With OAC

Without OAC

✗Bucket must be public → anyone can access files directly
✗Bypass CloudFront → no HTTPS enforcement, no caching
✗No control over headers, caching, or WAF
✗Security risk: files can be scraped/hotlinked

With OAC

✓S3 bucket stays private — no public access
✓Only CloudFront can read files (signed requests)
✓Full HTTPS, caching, compression, security headers
✓Prevents direct S3 URL access — better protection

OAC Bucket Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::YOUR_ACCOUNT_ID:distribution/YOUR_DISTRIBUTION_ID"
        }
      }
    }
  ]
}

Replace your-bucket-name, YOUR_ACCOUNT_ID and YOUR_DISTRIBUTION_ID with your actual values.
Attach this policy to your S3 bucket via AWS Console → Permissions → Bucket policy.

HTTPS & Security Headers

CloudFront + ACM

Free SSL/TLS certificate from AWS Certificate Manager
Automatic HTTPS redirection (HTTP → HTTPS)
Edge certificates – fast and global

Extra Security

CloudFront adds security headers (HSTS, X-Content-Type-Options, etc.)
Optional WAF for protection against common attacks
No origin server needed – reduced attack surface

← Back to Deployment Next: Troubleshooting →