Serve static content from S3 with CloudFront and Origin Access Identity

How to restrict access to an S3 bucket so that your html, css, and images, are only accessible through CloudFront.

David Sugden
5 min readFeb 9, 2020


Using Amazon Simple Storage Service (Amazon S3) is a cheap and effective way to host static websites and other web content.

You can do so directly from the S3 console by enabling the Static website hosting feature and you’ll get a website of the form You can also create an A-record ALIAS in Route 53 to use your own custom domain.

Some solutions may stop here. For some, this is good enough. (but this is not the purpose of our article; it would be incredibly short if it was).

More likely the solution will evolve toward serving content from edge cache locations using CloudFront — Amazon’s low-latency Content Delivery Network (CDN). Using a CDN both speeds up the distribution of content to visitors and will also reduce the overall cost for a busy site.

Even with the CDN our visitors can still access the S3 bucket directly, and the Solution Architect will now be asked “how do we restrict access to the S3 bucket so that our html, css, and images, are only accessible through CloudFront?” (this question is the purpose of this article).

The answer is to use Origin Access Identity (OAI).

We can restrict public access to objects in the S3 bucket (as of today, this is the default setting) and we grant permission to the OAI to distribute the content through CloudFront to our visitors from around the world.

The steps we follow to achieve this solution are;

  1. Create the S3 bucket with default settings and upload an index.html file (index.html will not be accessible directly from S3).
  2. Create a CloudFront distribution with the S3 bucket as its origin (index.html still cannot be accessed).
  3. Set up the OAI, and configure a policy that permits CloudFront to serve…



David Sugden

DevOps | SRE | AWS | GCP