CloudFront Distribution Has Origin Access Control Enabled

Overview

This check verifies the presence of origin access control (OAC) in an Amazon CloudFront distribution linked to an Amazon S3 origin. Failure occurs if OAC is not configured for the CloudFront distribution.

When using an S3 bucket as your CloudFront distribution's origin, OAC can be enabled. This restricts access to the bucket's content solely through the designated CloudFront distribution, preventing direct access from the bucket or any other distribution. OAC provides advanced functionality compared to Origin Access Identity (OAI), and distributions currently using OAI can transition to OAC

Vendor

AWS

Cloud Service

CloudFront

References

https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-13, https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Severity

Item Types

AWS::CloudFront::Distribution

Overview​

Vendor​

Cloud Service​

References​

Severity​

Item Types​