0
0
AwsConceptBeginner · 3 min read

What is OAI in CloudFront: Simple Explanation and Usage

OAI stands for Origin Access Identity in AWS CloudFront. It is a special user that CloudFront uses to securely access private content in an Amazon S3 bucket, preventing direct public access to the bucket.
⚙️

How It Works

Imagine you have a private storage room (an S3 bucket) where you keep your valuable items (files). You want to share these items only through a trusted delivery person (CloudFront) but not let anyone else enter the room directly.

OAI acts like a special key given only to CloudFront. When CloudFront needs to fetch files from your storage room, it uses this key to unlock the door. This way, only CloudFront can access the files, and people cannot bypass CloudFront to get the files directly from S3.

This setup improves security by ensuring your S3 bucket is not publicly open, and all access goes through CloudFront, which can apply caching, encryption, and access controls.

💻

Example

This example shows how to create an OAI and attach it to a CloudFront distribution to securely serve content from a private S3 bucket.

python
import boto3

# Create CloudFront client
cloudfront = boto3.client('cloudfront')

# Create an Origin Access Identity
response = cloudfront.create_cloud_front_origin_access_identity(
    CloudFrontOriginAccessIdentityConfig={
        'CallerReference': 'unique-string-12345',
        'Comment': 'My OAI for secure S3 access'
    }
)
oai_id = response['CloudFrontOriginAccessIdentity']['Id']
oai_s3_canonical_user_id = response['CloudFrontOriginAccessIdentity']['S3CanonicalUserId']

print(f'OAI ID: {oai_id}')
print(f'S3 Canonical User ID: {oai_s3_canonical_user_id}')
Output
OAI ID: E2ABCDEFGHIJKL S3 Canonical User ID: 79a59df900b949e55d96a1e698fbacedfd6e1234567890abcdef1234567890ab
🎯

When to Use

Use OAI when you want to keep your Amazon S3 bucket private but still deliver its content through CloudFront. This is common for websites, apps, or media streaming where you want to control access and improve performance.

For example, if you have images or videos stored in S3 that should not be publicly accessible, OAI ensures only CloudFront can fetch them. This prevents users from bypassing CloudFront and accessing the files directly, which could expose your content or increase costs.

Key Points

  • OAI is a special CloudFront user to access private S3 buckets.
  • It prevents direct public access to S3 content.
  • Use OAI to secure content delivery and control access.
  • OAI works by granting CloudFront permission to read from S3.
  • It helps reduce security risks and improve content delivery.

Key Takeaways

OAI lets CloudFront securely access private S3 buckets without public exposure.
Use OAI to prevent users from bypassing CloudFront and accessing S3 directly.
OAI improves security and control over your content delivery.
You create an OAI and grant it permission to read your S3 bucket.
OAI is essential for serving private content efficiently and safely.

Related by keyword

What is IAM Access Key in AWS: Simple Explanation and UsageIAMWhat is AWS ECR: Simple Explanation and UsageECS and EKSWhat is Fn::Sub in CloudFormation: Simple Explanation and UsageCloudFormationWhat is Assume Role in AWS: Simple Explanation and ExampleIAMWhat is IAM in AWS: Simple Explanation and ExampleIAM

Up next

How to Use Global Tables in DynamoDB for Multi-Region ReplicationWhat is DynamoDB in AWS: Simple Explanation and Use CasesA Record vs CNAME vs Alias in Route 53: Key Differences and UsageHow to Create a Hosted Zone in AWS Route 53

More in CloudFront

CloudFront vs S3 Direct Access: Key Differences and When to Use EachHow to Create AWS CloudFront Distribution: Step-by-Step GuideHow to Invalidate CloudFront Cache Quickly and CorrectlyHow to Set Cache Policy in AWS CloudFront