laurilehmijoki / s3_website

Manage an S3 website: sync, deliver via CloudFront, benefit from advanced S3 website features.
Other
2.24k stars 187 forks source link

Compatibility with CloudFront "Origin Access Identity" usage? #313

Open moved-to-gitlab opened 6 years ago

moved-to-gitlab commented 6 years ago

Can I use this gem after configuring AWS's Origin Access Identity, which uses a CloudFront distribution granted read permissions for a non-public S3 bucket not configured for static website hosting? (The idea is to force all traffic via CloudFront, since CloudFront pricing is lower than S3 pricing.)

With this configuration, the CloudFront distribution uses the S3 bucket's REST API endpoint for the "Origin Domain Name" and not the static website endpoint.

Ideally all files in the S3 bucket remain --acl private, the bucket is never enabled for static website hosting, and the CloudFront distribution serves all objects. Direct access by end-users to S3 objects is never permitted, even if someone discovers the bucket and object names.

For clarity, here are the current server responses which I wish to preserve, using a CloudFront distribution with an Alternate Domain Name:

http://BUCKET.s3-website-us-east-1.amazonaws.com/FILE.EXT   404 Not Found
https://XXXXXXXXXXXXX.cloudfront.net/FILE.EXT               200 OK
https://WWW.EXAMPLE.COM/FILE.EXT                            200 OK
https://s3-us-east-1.amazonaws.com/BUCKET/FILE.EXT          403 Forbidden

Lastly, thanks for an amazing piece of software. I use it regularly with standard configurations, CloudFront, and public S3 buckets, and it has worked flawlessly for a long time.