Lab: Building High-Performance Content Delivery with Amazon CloudFront and S3 OAC
Unit 5: Networking and Content Delivery
Lab: Building High-Performance Content Delivery with Amazon CloudFront and S3 OAC
This lab focuses on configuring a secure, global content delivery network (CDN) using Amazon CloudFront, backed by an Amazon S3 origin. You will implement Origin Access Control (OAC) to ensure your content is only accessible via the CDN, optimizing both security and performance as per AWS SysOps best practices (Skill 5.2.3 and 5.3.3).
Prerequisites
- AWS Account: An active AWS account with permissions for S3, CloudFront, and Route 53.
- AWS CLI: Configured with an IAM user or role having
PowerUserAccessor equivalent. - IAM Permissions: Ensure you can create S3 buckets and CloudFront distributions.
- Environment: A terminal for CLI commands or access to the AWS Management Console.
Learning Objectives
- Provision a private S3 bucket to serve as a web origin.
- Create a CloudFront distribution with Origin Access Control (OAC).
- Secure S3 content by restricting access exclusively to CloudFront via Bucket Policies.
- Configure Amazon Route 53 for alias record routing (Conceptual/Walkthrough).
- Test and troubleshoot caching and connectivity issues.
Architecture Overview
Step-by-Step Instructions
Step 1: Create the Private S3 Origin
First, we need a bucket to store our static assets. This bucket will NOT be configured for static website hosting; it will remain private.
# Replace <RANDOM_ID> with a unique string
aws s3 mb s3://brainybee-lab-content-<RANDOM_ID> --region us-east-1▶Console alternative
- Navigate to S3 > Create bucket.
- Bucket name:
brainybee-lab-content-<ID>. - Keep Block all public access checked (On).
- Click Create bucket.
Step 2: Upload Sample Content
Create a simple index.html file and upload it to your bucket.
echo "<h1>Hello from BrainyBee CloudFront Lab!</h1>" > index.html
aws s3 cp index.html s3://brainybee-lab-content-<RANDOM_ID>/Step 3: Create CloudFront Origin Access Control (OAC)
OAC is the modern way to secure S3 origins. We must first create the OAC configuration before the distribution.
aws cloudfront create-origin-access-control --origin-access-control-config '{
"Name": "S3-OAC-Lab",
"SigningProtocol": "sigv4",
"SigningBehavior": "always",
"OriginAccessControlOriginType": "s3"
}'Step 4: Deploy the CloudFront Distribution
Deploy the distribution pointing to your S3 bucket using the OAC created in Step 3.
[!TIP] In the AWS Console, choosing the S3 bucket from the dropdown will automatically prompt you to create or use an OAC.
- Navigate to CloudFront > Create distribution.
- Origin domain: Select your S3 bucket.
- Origin access: Select Origin access control settings (recommended).
- OAC: Select the one created in Step 3.
- Viewer Protocol Policy: Select Redirect HTTP to HTTPS.
- Default cache behavior: Keep defaults (Optimized for S3).
- Click Create distribution.
Step 5: Update S3 Bucket Policy
CloudFront provides a policy snippet after creation. You must apply this to S3 to allow CloudFront to read your objects.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowCloudFrontServicePrincipalReadOnly",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::brainybee-lab-content-<RANDOM_ID>/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::<ACCOUNT_ID>:distribution/<DISTRIBUTION_ID>"
}
}
}
}Apply this in the S3 Console under Permissions > Bucket Policy.
Checkpoints
| Verification Task | Action | Expected Result |
|---|---|---|
| Direct S3 Access | Browse to https://<bucket>.s3.amazonaws.com/index.html | Access Denied (403) |
| CloudFront Access | Browse to https://<distribution-id>.cloudfront.net/index.html | Success (200) displaying HTML |
| Cache Check | Run curl -I <CF-URL> twice | X-Cache: Hit from cloudfront on second run |
Troubleshooting
| Issue | Possible Cause | Fix |
|---|---|---|
| 403 Forbidden | S3 Bucket Policy is missing or has wrong ARN | Verify the SourceArn in S3 Policy matches the CloudFront Dist ID. |
| 404 Not Found | Incorrect path or file name | Ensure the S3 object key matches the URL path (case sensitive). |
| Stale Content | CloudFront cache hasn't expired | Create an Invalidation for path /* to clear the edge cache. |
Clean-Up / Teardown
[!WARNING] CloudFront distributions can take up to 15 minutes to delete. You must disable them first.
- CloudFront: Select your distribution, click Disable, then wait for the status to reflect "Disabled" before clicking Delete.
- S3: Empty the bucket
brainybee-lab-content-<ID>and then delete it. - OAC: Navigate to CloudFront > Origin access > Select your OAC and delete it.
Stretch Challenge
Implement a Custom Error Page: Upload an error.html to S3. In CloudFront, configure a Custom Error Response so that any 403 error from S3 (e.g., when a user tries to access a non-existent file) returns the error.html page with a 200 OK status. This is a common requirement for Single Page Applications (SPAs).