Serve images with CloudFront + S3
3 min readMay 27, 2019
1. Create a S3 bucket
Open “Services> S3”.
Then, create S3 bucket with all recommended settings.
Block all public access as shown in the above image.
2. Create CloudFront Distributions
Open “Services> CloudFront”.
Then, create distribution.
Origin Domain Name: [Your S3 buckets]
Select the S3 bucket made in # 1.Restrict Bucket Access: Yes
If you set this to Yes, you can restrict access to S3 only from CloudFront.Origin Access Identity:
If you are the first to create CloudFront Distribution, select "Create a New Identity". If you already created an "origin access identity", you can select it in "Use an Existing Identity". One "origin access identity" is usually sufficient.Grant Read Permissions on Bucket: Yes,Update Bucket Policy
If this is set to "Yes", a policy setting will be automatically added to S3's Bucket Policy. See # 3 for details.
All other values are default values (recommended values).
See the above screen captures. The S3 images of “Origin ID” is served with the URL of “Domain Name”.
3. Check the bucket policy of S3.
See “Services> S3 > [Your bucket] > Permissions > Bucket Policy”.
You can see that a policy like the above image is set automatically.
4.Operation Check
Upload an image to S3 for testing. Make all the values default (recommended values) .
First, open the S3 “Object URL” and check that it becomes “Access Denied”.
Next, open CloudFront’s “Domain Name” and check that the image is displayed.