CloudFront distribution uses Origin Access Control (OAC) for all S3 origins
cloudfront_distributions_s3_origin_access_control
CloudFront distributions with Amazon S3 origins are expected to use Origin Access Control (OAC) on each S3 origin.
The evaluation inspects distributions that include s3_origin_config and identifies S3 origins that lack an associated OAC.
Risk
Without OAC, S3 objects can be reached outside CloudFront, bypassing edge controls and weakening confidentiality and integrity.
- Direct access enables data exfiltration
- Loss of WAF, rate-limiting, and detailed logging; cost abuse
- Limited support for signed writes and SSE-KMS, increasing tampering risk
prowler aws --checks cloudfront_distributions_s3_origin_access_control
Recommendation
Enable Origin Access Control for all S3 origins and keep buckets non-public.
Apply least privilege: scope bucket and key permissions to CloudFront and the intended distribution. Ensure origin requests are signed, migrate from legacy OAI, and use defense in depth with WAF and monitoring to protect and observe access.
Remediation
aws cloudfront create-origin-access-control --origin-access-control-config '{Name":"<example_resource_name>","SigningProtocol":"sigv4","SigningBehavior":"always","OriginAccessControlOriginType":"s3"}' && aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add OriginAccessControlId to S3 origins, then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query "ETag" --output text)'
- In the AWS Console, open CloudFront and go to Security > Origin access > Origin access control (OAC). Click Create control setting, choose Origin type S3, keep Sign requests, and create the OAC.
- Open your CloudFront distribution, go to the Origins tab.
- For each S3 origin: click Edit, select Origin access control settings (recommended), choose the OAC created in step 1, and Save changes.
- Repeat step 3 for all S3 origins in the distribution.
Source Code
Resource Type
AwsCloudFrontDistribution
References
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/s3-origin.html
- https://repost.aws/knowledge-center/cloudfront-access-to-amazon-s3
- https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-13
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html