Ensure origin access identity is enabled for AWS CloudFront distributions with S3 origin

MEDIUM

Description

Configuring CloudFront to use an S3 bucket as the origin can be made safer by configuring authenticated requests using origin access identity (OAI). For more information on restricting access using origin access identity, see the AWS CloudFront documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Remediation

In AWS Console -

Sign in to the AWS Console and open the CloudFront Console.
Under Distributions, select the distribution that requires a secure setting.
Under Origins, select the specific Origin to update (Note: this will only work on S3 origins).
For Origin Access choose Origin Access control settings and follow the instructions provided to set the control and policy.
Select Save changes.

In Terraform -

In the aws_cloudfront_distribution resource, ensure s3_origin_config.origin_access_identity is set to enable Origin Access Identity for CloudFront Distributions with S3 Origin.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Policy Details

Rule Reference ID: AC_AWS_0390

CSP: AWS

Remediation Available: No

Domain: Identity and Access Management

Resource: aws_cloudfront_distribution

Resource Category: Virtual Network

Resource Type: CloudFront

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF