Security & Access Control

Protection and Authentication Mechanisms

Origin Access Identity (OAI)

Restrict direct access to S3 bucket, allowing only CloudFront access.

Virtual user for CloudFront
S3 bucket policy integration
Prevents direct S3 access

Signed URLs & Cookies

Control access to private content with time-limited authentication.

Time-based access control
IP address restrictions
Premium content protection

SSL/TLS Certificates

Secure content delivery with HTTPS encryption.

AWS Certificate Manager integration
Custom SSL certificates
SNI and dedicated IP options

AWS WAF Integration

SQL Injection Protection

Block malicious SQL injection attempts

XSS Protection

Prevent cross-site scripting attacks

Rate Limiting

Control request rates from IP addresses

Security Exam Tips

  • • OAI restricts direct S3 access, forces traffic through CloudFront
  • • Signed URLs for individual files, signed cookies for multiple files
  • • AWS Shield Standard provides DDoS protection automatically
  • • WAF can be integrated for application-layer protection
Previous: Caching & Performance Next: Global Accelerator