AWS S3 with CloudFront, high-performance security

Services


Amazon CloudFront is a content delivery network (CDN) service built for high-performance security, and developer convenience can be used as the frontend of many services (S3 Buckets, ELB’s, media distribution, and any other HTTP server running in ec2 instance or any other kind of host).

Besides, Cloudfront uses edge locations to cache copies of the content that it serves, so the content is closer to users and can be delivered to them faster. Edge locations are AWS data centers designed to deliver services with the lowest latency possible. Amazon has dozens of these data centers spread across the world. They’re closer to users than Regions or Availability Zones, often in major cities, so responses can be fast and snappy.

Then, we will use Cloudfront to deliver access from Edge Locations to S3 Buckets, which can be used for static websites or, in this case, as file server storage.


Resources


First, we begin creating a Terraform infrastructure, which contains the next resources:


  • AWS CloudFront Distribution as Frontend access

  • AWS S3 Bucket for Storage

  • AWS Route 53 Zone for records

  • SSL Certificate

  • IAM user/group: Credentials for users

  • IAM Policies: Access and manage of Buckets

After applying this plan we can view the below resources in AWS Console:


Cloudfront Distribution


AWS S3 Bucket





Note: Remember to set Bucket as private and manage the access through Cloudfront.



Cloudfront OAI


We need to configure OAI because we want Cloudfront to access S3 private buckets.




And finally, is necessary to attach OAI Policies to CDN (S3 Origin config).



Route 53

In this case, we suppose that Route53 is already created, so we will use Data Sources from Terraform to retrieve the resource.


SSL Certificate

After, if you don’t have a certificate ssl for this record domain or a wildcard ssl for a whole domain, you can create and deploy a free certificate in ACM:


AWS Certificate Manager - Amazon Web Services (AWS)


IAM


We need to create a group with policies to allow access and list buckets, then add users to this group.



Policies:

Desktop GUI - S3 Access


Well, we have a Cloudfront Distribution which is used for access to S3 Resources and upload/download files, but we don’t want users to login into our AWS Platform and navigate through to S3, doesn't seem to be a good practice.


Then, we will use the Cyberduck client, a desktop platform that connects to any Amazon S3 Storage region with support for large file uploads.


If you have in AWS US you need to select the next profile:

Note: If you use other AWS platforms (like GOV or China) you can download the right profile from the Cyberduck official webpage.


Finally, we can connect with the user access keys, navigate and open our buckets, and upload or download files within.


References



If you are interested in learning more about our TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs.







Nicolas Balmaceda

DevOps Engineer

teracloud.io





#Teracloud #TeraTips #aws #awslatam #DevOps #Cloudfront #AmazonS3 #S3 #secuirty #EC2 #EdgeLocations #Terraform #cloud #ssl


Entradas recientes