Serve static content from S3 with CloudFront and Origin Access Identity

How to restrict access to an S3 bucket so that your html, css, and images, are only accessible through CloudFront.

Using Amazon Simple Storage Service (Amazon S3) is a cheap and effective way to host static websites and other web content.

You can do so directly from the S3 console by enabling the Static website hosting feature and you’ll get a website of the form http://my-bucket-name.s3-website-eu-west-1.amazonaws.com. You can also create an A-record ALIAS in Route 53 to use your own custom domain.

Some solutions may stop here. For some, this is good enough. (but this is not the purpose of our article; it would be incredibly short if it was).

More likely the solution will evolve toward serving content from edge cache locations using CloudFront — Amazon’s low-latency Content Delivery Network (CDN). Using a CDN both speeds up the distribution of content to visitors and will also reduce the overall cost for a busy site.

Even with the CDN our visitors can still access the S3 bucket directly, and the Solution Architect will now be asked “how do we restrict access to the S3 bucket so that our html, css, and images, are only accessible through…