Check provider logo

Check if CloudFront distributions with S3 origin use OAC.

cloudfront_distributions_s3_origin_access_control

Severitymedium
Servicecloudfront
by Prowler

Check if CloudFront distributions use origin access control.

Risk

Without OAC, your S3 bucket could be accessed directly, bypassing CloudFront, which could expose your content to unauthorized access. Additionally, relying on Origin Access Identity (OAI) may limit functionality and security features, making your distribution less secure and more difficult to manage.

Run this check with Prowler CLI

prowler aws --checks cloudfront_distributions_s3_origin_access_control

Run in Prowler Cloud

ARN template

arn:partition:cloudfront:region:account-id:distribution/resource-id

Remediation

Native IAC

https://docs.prowler.com/checks/aws/iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled/

Terraform

https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/s3-origin.html

Other

https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-13

WUI

Configure Origin Access Control (OAC) for CloudFront distributions that use an Amazon S3 origin. This will ensure that the content in your S3 bucket is accessible only through the specified CloudFront distribution, enhancing security by preventing direct access to the bucket.

References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Source Code

References

Resource Type

AWSCloudFrontDistribution

Related URL