AWS CloudFront Origin Access Identity
This page shows how to write Terraform and CloudFormation for CloudFront Origin Access Identity and write them securely.
aws_cloudfront_origin_access_identity (Terraform)
The Origin Access Identity in CloudFront can be configured in Terraform with the resource name aws_cloudfront_origin_access_identity
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_cloudfront_origin_access_identity" "farese" {}
resource "aws_cloudfront_distribution" "farese" {
origin {
domain_name = aws_s3_bucket.farese.website_endpoint
origin_id = "S3-farese.com"
Parameters
-
caller_reference
optional computed - string -
cloudfront_access_identity_path
optional computed - string -
comment
optional - string -
etag
optional computed - string -
iam_arn
optional computed - string -
id
optional computed - string -
s3_canonical_user_id
optional computed - string
Explanation in Terraform Registry
Creates an Amazon CloudFront origin access identity. For information about CloudFront distributions, see the [Amazon CloudFront Developer Guide][1]. For more information on generating origin access identities, see [Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content][2].
Tips: Best Practices for The Other AWS CloudFront Resources
In addition to the aws_cloudfront_distribution, AWS CloudFront has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_cloudfront_distribution
Ensure to enable access logging of CloudFront distribution
To avoid attacks, it is better to configure access logging of a CloudFront distribution. The logs are important for the early-stage detection of attacks and incident responses. It is better to enable the feature while being careful of handling cookies.
AWS::CloudFront::CloudFrontOriginAccessIdentity (CloudFormation)
The CloudFrontOriginAccessIdentity in CloudFront can be configured in CloudFormation with the resource name AWS::CloudFront::CloudFrontOriginAccessIdentity
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
CloudFrontOriginAccessIdentityConfig
required - CloudFrontOriginAccessIdentityConfig
Explanation in CloudFormation Registry
The request to create a new origin access identity (OAI). An origin access identity is a special CloudFront user that you can associate with Amazon S3 origins, so that you can secure all or just some of your Amazon S3 content. For more information, see Restricting Access to Amazon S3 Content by Using an Origin Access Identity in the Amazon CloudFront Developer Guide.
Frequently asked questions
What is AWS CloudFront Origin Access Identity?
AWS CloudFront Origin Access Identity is a resource for CloudFront of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS CloudFront Origin Access Identity?
For Terraform, the prbc/farese source code example is useful. See the Terraform Example section for further details.