Skip to main content

CloudFront distributions should have origin access identity enabled

Severity: Medium

Resource Types: AWS::CloudFront::Distribution

Description

This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.

CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.

Remediation

For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution.