AWS recently rolled out a new L2 construct in the AWS Cloud Development Kit (CDK) specifically for CloudFront Origin Access Control (OAC). This addition aims to make it easier for developers to secure Amazon S3 origins with CloudFront using modern security practices.
With the increased focus on secure, scalable architectures, OAC has become the go-to method for securing CloudFront distributions, surpassing the legacy Origin Access Identity (OAI) in both functionality and security. Let's dive into how this new construct works, its benefits, and the migration from OAI to OAC.
What is AWS CDK and Why Use Constructs?
The AWS CDK is an open-source framework that allows you to define cloud infrastructure in code, primarily using languages like TypeScript, Python, and Java. CDK applications are based on constructs—modular building blocks that encapsulate resources and their configurations.
- Level 1: Direct mappings to CloudFormation resources, without added abstraction.
- Level 2: These offer higher-level abstractions, with an intent-based API that simplifies AWS service integration.
L2 constructs streamline the configuration process by embedding best practices and intuitive defaults, and that's precisely what the new OAC construct brings to the table.
Why Origin Access Control (OAC) Matters for CloudFront Security
Amazon CloudFront is a global content delivery network (CDN) designed to reduce latency by caching data closer to users. For a more secure setup, CloudFront can be configured to use only trusted origins like Amazon S3, Lambda function URLs, or custom servers. OAC, introduced in 2022, is the recommended way to secure CloudFront distributions, providing:
Enhanced Security: OAC supports AWS Key Management Service (KMS) encryption, short-term credential rotations, and new security regions.
More Functionality: Unlike OAI, OAC supports dynamic requests like PUT and DELETE, making it adaptable for modern, interactive applications.
Built-in Flexibility: OAC seamlessly manages policy configurations, eliminating the need for low-level escape hatches in CDK.
OAC provides the ability to restrict direct access to S3 buckets, ensuring access only through CloudFront, where additional security measures (such as AWS WAF) can be applied.
Enhanced Security with SSE-KMS Encryption
Encrypting S3 objects is a best practice, particularly when sensitive data is involved. The new OAC L2 construct makes it easy to use KMS encryption, automatically updating policies to allow CloudFront access to KMS-encrypted objects.
Migrating from Origin Access Identity (OAI) to Origin Access Control (OAC)
If you’re currently using OAI, migrating to OAC may seem daunting, but the new construct is designed to minimize downtime. The migration process generally involves:
- First Deployment: Update the S3 bucket policy to allow both OAI and OAC access.
- Second Deployment: Switch to the new OAC-based L2 construct.
- Final Clean-Up: Remove OAI-specific code and bucket policies.
Key Benefits of the New OAC L2 Construct
In summary, the new L2 construct for OAC provides several advantages:
- Simplified Setup: A high-level interface that minimizes configuration complexity.
- SSE-KMS Support: Simplified permissions management for KMS-encrypted S3 buckets.
- Flexible Customization: Easily adjust default settings like signing protocols and permissions.
- Smooth Migration Path: Built-in tools to transition smoothly from OAI to OAC.
The OAC L2 construct currently supports only Amazon S3 as an origin. For other origin types, AWS encourages feedback in the GitHub repository, where you can request additional features, such as support for Lambda@Edge.
Conclusion:
This new L2 construct is a step forward in making secure, scalable CloudFront-S3 integrations accessible to all. Whether you’re a beginner in CDK or a seasoned DevOps professional, the OAC construct enables robust security with minimal configuration, setting you up for success in your cloud journey.
Top comments (0)