From dd7361f5de93e7055820ee09e14ac15098d765a2 Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Mon, 15 Jan 2024 23:13:14 +0900 Subject: [PATCH] Update document --- .../static-web-site-distribution/README.md | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/cloudformation/static-web-site-distribution/README.md b/cloudformation/static-web-site-distribution/README.md index 408f8e6..640f349 100644 --- a/cloudformation/static-web-site-distribution/README.md +++ b/cloudformation/static-web-site-distribution/README.md @@ -20,8 +20,21 @@ In other words, S3 content can be publicly accessible, allowing direct access to To prevent such scenarios, it is essential to appropriately configure the S3 bucket policy. -#### Access Log -[WIP] +#### What is Origin Access Control (OAC) +Origin Access Control is a new feature of CloudFront that allows you to restrict access to S3 buckets from CloudFront. It is an alternative to Origin Access Identity (OAI), which is the conventional method of restricting access to S3 buckets from CloudFront. + +The use of Origin Access Identity (OAI) in CloudFront involves specifying OAI for each origin, and on the S3 side, allowing read and write permissions for that OAI through bucket policies. This allows restricting access to S3 only from CloudFront, without making the S3 bucket publicly accessible. However, there are limitations when using OAI, such as incompatibility with AWS Key Management Service (AWS KMS) encryption and SSE-KMS in S3 buckets. + +The newly available Origin Access Control (OAC) addresses these limitations. It supports accessing S3 buckets encrypted with SSE-KMS and enables both download and upload operations. Additionally, it overcomes the restriction related to the use of AWS Signature Version 4 (SigV4) in specific S3 regions, allowing POST and PUT requests, and requiring the addition of the x-amz-content-sha256 header for PUT requests during object uploads. + +OAC also enhances security measures by supporting shorter credential durations and more frequent credential rotation. This provides better protection against credential-based attacks. + +#### Why need CloudFront Access Logs +1. Enhanced Audit and Security: Storing CloudFront access logs in S3 provides a detailed history of access, enhancing security and facilitating the detection and investigation of unauthorized access. + +2. Analysis and Monitoring: Access logs stored in S3 can be integrated with analysis tools and monitoring systems, aiding in quickly identifying traffic trends and performance issues. + +3. Compliance with Legal Requirements: Some industries or legal requirements may mandate the retention of access logs and their accessibility when needed to comply with regulations. -#### Chache -[WIP] \ No newline at end of file +#### CloudFront Cache +- [Understanding AWS CloudFront Caching: A Guide for Beginners](https://aws.plainenglish.io/understanding-aws-cloudfront-caching-a-guide-for-beginners-ce0169d3c724) \ No newline at end of file