CloudFront distributions should use origin access control

문서 > Datadog 보안 > OOTB Rules > CloudFront distributions should use origin access control

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

This control verifies that every S3-based origin used in an Amazon CloudFront distribution has origin access control (OAC) enabled. S3-based origins that use static website hosting domains (such as bucket-name.s3-website.<region>.amazonaws.com) are excluded from this control, as they are assumed to be intentionally public.

When an S3 bucket serves as the origin for a CloudFront distribution, OAC should be activated to restrict access. This ensures that content is accessible only through the designated CloudFront distribution while preventing direct access from the bucket or other distributions.

Note that origin access identity (OAI) has been deprecated by Amazon in favor of OAC. CloudFront distributions using OAI should be migrated to OAC to benefit from enhanced security controls.

Remediation

For instructions on enabling OAC for a CloudFront distribution, refer to the Restrict access to an Amazon Simple Storage Service origin section of the Amazon CloudFront Developer Guide.