Protect your S3-hosted static website with Origin Access Control

I previously wrote about Deploying a Jekyll website to AWS S3 with GitHub Actions and AWS CloudFormation. However, as I continue to learn more about AWS, the more tweaks I realize we can make.

What I want to walk through today is removing the public access to our S3 bucket which hosts our static site. We will configure an Origin Access Control to allow only CloudFront to access the S3 bucket. There’s one caveat to our use case, but we can resolve that using CloudFront Functions.

We’ll be performing these steps through the AWS Console, but you could likely tweak the CloudFormation template that we created in the previous article.

Disclaimer

The method we are implementing requires the use of a CloudFront function. The Always Free Tier includes 2 million function invocations per month. You should be able to determine cost based on the number of requests you are receiving per month, as each request will invoke our function.

Adding an Origin Access Control policy to the CloudFront distribution

Navigate to your Distribution and click Edit under the Settings.