3

I'm currently hosting a static web site on AWS from an S3 bucket with a custom domain over TLS via CloudFront. AWS recently introduced Origin Access Control (OAC), which supposedly is a safer way to keep my S3 bucket private but still allow CloudFront to pull content from it for distribution.

But the OAC documentation for S3 seems to say that I have to disable the S3 website options to get OAC to work. I'm trying to understand the implications of this, because it's not spelled out. This is what I'm inferring:

  1. With OAC I can have content statically served from S3 over TLS using CloudFront; but
  2. the site can no longer be configured to automatically serve a default file; e.g. serving https://example.com/index.html when the browser requests https://example.com/; and
  3. I can no longer add server response redirects e.g. from https://example.com/old.html to https://example.com/new.html.

Is that a correct interpretation? Is there any other functionality I'll lose if I switch to OAC? Are there any workarounds when using OAC to get this functionality back?

Update: It appears that I can set a "default root object" of e.g. index.html via the CloudFormation distribution configuration. But it doesn't appear to be exactly the same as an S3 bucket website endpoint "index document" setting. For example, from the documentation it seems that this would serve https://example.com/index.html for https://example.com/, but would not serve https://example.com/foo/index.html for https://example.com/foo/, unless I'm misinterpreting what "the root URL for your distribution" means. Update: Verified that this is indeed the case. It may be possible to work around this using Lambda@Edge. I'll investigate further.

Improve this question
3
  • So many people wanting to close the question, but nobody wants to take the time to tell me how the question is defective? Commented Apr 20, 2023 at 23:57
  • Ah, I get it. When I ask a difficult question, it's easier to vote to close the question than to research and find an answer. And I imagine those voting down this question have no idea what OAC is, didn't read the question closely enough to even note that it mentioned OAC (and certainly didn't read the links), and couldn't be bothered to leave a comment. Commented Apr 21, 2023 at 20:54
  • Went down on this rabbit hole to host a react site with OAC. Looks like OAC is not suited for website hosting. When I navigate from base/page1 to base/page2 it throws an Access Denied error. So OAC not good for static site hosting for now, I guess. Commented Aug 29, 2023 at 19:15

1 Answer 1

Reset to default
3

Your understanding is correct

  • OAC cannot be used with S3 static website endpoints, only S3 buckets
  • S3 buckets will not automatically serve index.html for root or subdirectories
  • S3 static website endpoints will automatically serve index.html at both the root and all subdirectories
  • The CloudFront default root object only works for the root, but not subdirectories

If you want OAC and index.html serving for the root and all subdirectories, your best option is to use an S3 bucket with a CloudFront Function (viewer request trigger) that handles the index.html rewrite for you - see example function.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.