Amazon CloudFront with multiple origin S3 buckets
Learn how to configure an Amazon CloudFront Distribution with multiple origin S3 buckets.
Assumptions
- CloudFront distribution and S3 buckets created.
- S3 Buckets are private.
- CloudFront OAI configured to allow bucket access only via CloudFront.
Below is an example Bucket Policy with OAI configured and strictly enforces SSL communication.
Note: change the bucket name as per your bucket resource name.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Enable Encrypted communications",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "AllowAccessFromCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket1/*"
}
]
}What do we want to do?
Configure CloudFront so that,
Cloudfront URL will resolve to S3 Bucket 1 named bucket1.
Cloudfront URL/path will resolve to S3 Bucket 2 named bucket2.
Let’s take an example file index.html present in both buckets. We want to access this index.html using the same Cloudfront distribution under different paths pointing to different origin buckets.
xxxx.cloudfront.net/index.html (fetched from S3 Bucket1)
xxxx.cloudfront.net/path/index.html (fetched from S3 Bucket2)
The index.html file in S3 Bucket 2 needs to be under the directory named “path” within the bucket. The S3 key will look like s3://bucket2/path/index.html.
Let’s do this
Section1: Configure S3 Bucket 1 as Origin with Default (*) Path Pattern Behavior
Note: If already configured during the creation of the Cloudfront Distribution, skip this section.
- Make sure the index.html is present in the root of bucket1 so that its key will be s3://bucket1/index.html
- Select the CloudFront Distribution from the AWS console.
- If ‘Origin’ and ‘Behaviour’ were not created during CloudFront Distribution creation, create an Origin under “Origins and Origin Groups” with OAI for bucket1 and create a Behavior under “Behaviors” for bucket1 origin.
- Make sure the Behaviour for bucket1 is associated with the path pattern Default (*). This is the default path pattern automatically associated with the first Behaviour created in the Cloudfront Distribution.
- Test the CloudFront URL xxxx.cloudfront.net/index.html (fetched from origin S3 Bucket1)
Section2: Configure S3 Bucket 2 as Origin with path/* Path Pattern Behavior
- Make sure the index.html is present in the “path” directory within bucket2 so that its key will be s3://bucket2/path/index.html
- Select the CloudFront Distribution from the AWS console.
- Create another Origin under “Origins and Origin Groups” with a different OAI for bucket2.
- Create a Behavior under “Behaviors” for bucket2 origin with the path pattern as path/*
- Make sure the Behaviour for bucket2 is associated with path/* as the path pattern.
- Test the CloudFront URL xxxx.cloudfront.net/path/index.html (fetched from origin S3 Bucket2)
Voila!
That is how you can have a single CloudFront Distribution for multiple different origin S3 buckets (private) with different OAI resolved under different paths.
This setup is very useful for the below reasons,
- If you want to reuse the same CloudFront Distribution with different origin buckets for economical reasons.
- If you want to have diverse data in its own separate S3 buckets but would like to leverage a single CloudFront Distribution.
Thank you for Reading!
Reference
CloudFront web distribution to serve content from multiple origins using multiple behaviours
