0
0
AwsConceptBeginner · 3 min read

What is OAC in CloudFront: Overview and Usage

In AWS CloudFront, OAC stands for Origin Access Control. It is a security feature that lets CloudFront securely access private content from an Amazon S3 bucket or other origins by controlling permissions without exposing the origin publicly.
⚙️

How It Works

Think of OAC as a special key that CloudFront uses to get content from your origin server, like an Amazon S3 bucket, without opening the bucket to everyone on the internet. Instead of making your content public, you give CloudFront permission to access it securely.

This works by creating a control that links CloudFront to your origin with strict rules. When a user requests content, CloudFront uses this control to fetch the content safely, so only CloudFront can see the private files, not the public.

It’s like having a private delivery service that only CloudFront can use to pick up your packages (content), keeping your packages safe from others.

💻

Example

This example shows how to create an Origin Access Control in AWS CloudFront using AWS CLI to allow CloudFront to access a private S3 bucket.

bash
aws cloudfront create-origin-access-control --origin-access-control-config '{"Name":"MyOAC","Description":"Access control for CloudFront to S3","SigningProtocol":"sigv4","SigningBehavior":"always","OriginAccessControlOriginType":"s3"}'
Output
{ "OriginAccessControl": { "Id": "e1234567890abcdef", "OriginAccessControlConfig": { "Name": "MyOAC", "Description": "Access control for CloudFront to S3", "SigningProtocol": "sigv4", "SigningBehavior": "always", "OriginAccessControlOriginType": "s3" } } }
🎯

When to Use

Use OAC when you want to keep your origin content private but still deliver it through CloudFront. It is ideal for:

  • Serving private files from an S3 bucket without making the bucket public.
  • Improving security by limiting who can access your origin content.
  • Ensuring only CloudFront can fetch content, preventing direct access from users.
  • Reducing risk of unauthorized data exposure in websites or apps.

For example, if you have a website with images stored in a private S3 bucket, using OAC lets CloudFront deliver those images securely to visitors without exposing the bucket to the internet.

Key Points

  • OAC controls secure access from CloudFront to origins like S3.
  • It replaces older methods like Origin Access Identity (OAI) with improved security.
  • Uses AWS Signature Version 4 for signing requests.
  • Helps keep origin content private and protected.
  • Easy to configure via AWS Console, CLI, or SDKs.

Key Takeaways

OAC lets CloudFront securely access private origin content without exposing it publicly.
It uses signed requests to control who can fetch content from your origin.
OAC is recommended over older methods for better security and simplicity.
Use OAC when you want to serve private files through CloudFront safely.
You can create and manage OAC using AWS CLI, Console, or SDKs.

Related by keyword

EBS Volume Types: Overview and Usage in AWSEC2What Are EC2 Instance Types: Overview and UsageEC2What is AWS EBS: Overview and Usage ExplainedEC2What is EC2 in AWS: Overview and UsageEC2How to Use S3 with CloudFront for Fast Content DeliveryS3

Up next

How to Use Global Tables in DynamoDB for Multi-Region ReplicationWhat is DynamoDB in AWS: Simple Explanation and Use CasesA Record vs CNAME vs Alias in Route 53: Key Differences and UsageHow to Create a Hosted Zone in AWS Route 53

More in CloudFront

CloudFront vs S3 Direct Access: Key Differences and When to Use EachHow to Create AWS CloudFront Distribution: Step-by-Step GuideHow to Invalidate CloudFront Cache Quickly and CorrectlyHow to Set Cache Policy in AWS CloudFront