To deliver digital content to authorized users through CloudFront while restricting unauthorized access, you can use an origin access identity (OAI) with signed URLs.
Store Content in S3 with Public Access Blocked:
Ensure the S3 bucket has public access blocked.
Navigate to the S3 console, select the bucket, and configure the "Block Public Access" settings.
[Reference: Blocking public access to your Amazon S3 storage, Create an OAI for CloudFront:, In the CloudFront console, create an OAI to securely access the S3 bucket., Associate the OAI with the CloudFront distribution., Reference: Using an OAI, Restrict S3 Bucket Access to the OAI:, Update the S3 bucket policy to grant access to the OAI., Example bucket policy:, , "Version": "2012-10-17",, "Statement": [, {, "Effect": "Allow",, "Principal": {, "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ", },, "Action": "s3:GetObject",, "Resource": "arn:aws:s3:::bucket-name/*", }, ], }, Use Signed URLs for Restricted Access:, Configure CloudFront to use signed URLs to control access to the content., Reference: Serving private content with signed URLs and signed cookies, This setup ensures that only authorized users can access the content through CloudFront using signed URLs, while the S3 bucket remains private and secure., , , ]
