CloudFront distributions should use origin access control

cloudfront
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This control verifies that every S3-based origin used in an Amazon CloudFront distribution has origin access control (OAC) enabled. S3-based origins that use static website hosting domains (such as bucket-name.s3-website.<region>.amazonaws.com) are excluded from this control, as they are assumed to be intentionally public.

When an S3 bucket serves as the origin for a CloudFront distribution, OAC should be activated to restrict access. This ensures that content is accessible only through the designated CloudFront distribution while preventing direct access from the bucket or other distributions.

Note that origin access identity (OAI) has been deprecated by Amazon in favor of OAC. CloudFront distributions using OAI should be migrated to OAC to benefit from enhanced security controls.

Remediation

For instructions on enabling OAC for a CloudFront distribution, refer to the Restrict access to an Amazon Simple Storage Service origin section of the Amazon CloudFront Developer Guide.

PREVIEWING: aliciascott/DOCS-9725-Cloudcraft