AWS S3 with CloudFront, high-performance security

Services

Amazon CloudFront is a content delivery network (CDN) service built for high-performance security, and developer convenience can be used as the frontend of many services (S3 Buckets, ELB’s, media distribution, and any other HTTP server running in ec2 instance or any other kind of host).

Besides, Cloudfront uses edge locations to cache copies of the content that it serves, so the content is closer to users and can be delivered to them faster. Edge locations are AWS data centers designed to deliver services with the lowest latency possible. Amazon has dozens of these data centers spread across the world. They’re closer to users than Regions or Availability Zones, often in major cities, so responses can be fast and snappy.

Then, we will use Cloudfront to deliver access from Edge Locations to S3 Buckets, which can be used for static websites or, in this case, as file server storage.

Resources

First, we begin creating a Terraform infrastructure, which contains the next resources:

  • AWS CloudFront Distribution as Frontend access
  • AWS S3 Bucket for Storage
  • AWS Route 53 Zone for records
  • SSL Certificate
  • IAM user/group: Credentials for users
  • IAM Policies: Access and manage of Buckets

After applying this plan we can view the below resources in AWS Console:

Cloudfront Distribution

AWS S3 Bucket

Note: Remember to set Bucket as private and manage the access through Cloudfront.

Cloudfront OAI

We need to configure OAI because we want Cloudfront to access S3 private buckets.

And finally, is necessary to attach OAI Policies to CDN (S3 Origin config).

Route 53

In this case, we suppose that Route53 is already created, so we will use Data Sources from Terraform to retrieve the resource.

SSL Certificate

After, if you don’t have a certificate ssl for this record domain or a wildcard ssl for a whole domain, you can create and deploy a free certificate in ACM:

AWS Certificate Manager — Amazon Web Services (AWS)

IAM

We need to create a group with policies to allow access and list buckets, then add users to this group.

Policies:

Desktop GUI — S3 Access

Well, we have a Cloudfront Distribution which is used for access to S3 Resources and upload/download files, but we don’t want users to login into our AWS Platform and navigate through to S3, doesn’t seem to be a good practice.

Then, we will use the Cyberduck client, a desktop platform that connects to any Amazon S3 Storage region with support for large file uploads.

If you have in AWS US you need to select the next profile:

Note: If you use other AWS platforms (like GOV or China) you can download the right profile from the Cyberduck official webpage.

Finally, we can connect with the user access keys, navigate and open our buckets, and upload or download files within.

References

If you are interested in learning more about our TeraTips or our blog’s content, we invite you to see all the content entries that we have created for you and your needs.

Teracloud is an AWS Advanced Consulting Partner specialized in Cloud Computing (AWS, Azure, GCP) best practices. We help SaaS of different industries around the world scale their business safely.

Contact our team at info@teracloud.io for an assessment. Let us handle migration, automation, deployment, performance, cost optimization and machine learning to make your business grow.

We make the cloud easy for you!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teracloud

Teracloud

113 Followers

All the important news about Cloud Computing. Let´s stay connected to the future