Use Origin Access Control instead of Origin Access Identity

Origin Access Control is the newer, improved way to secure S3 origins when using CloudFront. Since it effectively replaces Origin Access Identity it makes sense to use it instead.
cisagov · Dec 29, 2023 · 0904ddd · 0904ddd
1 parent ad3435b
commit 0904ddd
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 15 deletions.
diff --git a/terraform_egress_pub/cloudfront.tf b/terraform_egress_pub/cloudfront.tf
@@ -69,18 +69,20 @@ module "security_header_lambda" {
   tags                   = { "Application" = "Egress Publish" }
 }
 
-resource "aws_cloudfront_origin_access_identity" "rules_s3_distribution" {
-  comment = var.distribution_oai_comment
+resource "aws_cloudfront_origin_access_control" "rules_s3_distribution" {
+  description = var.distribution_oac_description
+  name        = var.distribution_oac_name
+
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
 }
 
 resource "aws_cloudfront_distribution" "rules_s3_distribution" {
   origin {
-    domain_name = aws_s3_bucket.rules_bucket.bucket_regional_domain_name
-    origin_id   = local.s3_origin_id
-
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.rules_s3_distribution.cloudfront_access_identity_path
-    }
+    domain_name              = aws_s3_bucket.rules_bucket.bucket_regional_domain_name
+    origin_access_control_id = aws_cloudfront_origin_access_control.rules_s3_distribution.id
+    origin_id                = local.s3_origin_id
   }
 
   enabled             = true

diff --git a/terraform_egress_pub/s3.tf b/terraform_egress_pub/s3.tf
@@ -43,19 +43,36 @@ data "aws_iam_policy_document" "cloudfront_read_rules_bucket" {
     actions   = ["s3:GetObject"]
     resources = ["${aws_s3_bucket.rules_bucket.arn}/*"]
 
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+
+      values = [
+        aws_cloudfront_distribution.rules_s3_distribution.arn
+      ]
+    }
     principals {
-      identifiers = [aws_cloudfront_origin_access_identity.rules_s3_distribution.iam_arn]
-      type        = "AWS"
+      identifiers = ["cloudfront.amazonaws.com"]
+      type        = "Service"
     }
   }
 
   statement {
     actions   = ["s3:ListBucket"]
     resources = [aws_s3_bucket.rules_bucket.arn]
 
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+
+      values = [
+        aws_cloudfront_distribution.rules_s3_distribution.arn
+      ]
+    }
+
     principals {
-      identifiers = [aws_cloudfront_origin_access_identity.rules_s3_distribution.iam_arn]
-      type        = "AWS"
+      identifiers = ["cloudfront.amazonaws.com"]
+      type        = "Service"
     }
   }
 }

diff --git a/terraform_egress_pub/variables.tf b/terraform_egress_pub/variables.tf
@@ -28,9 +28,15 @@ variable "distribution_domain" {
   type        = string
 }
 
-variable "distribution_oai_comment" {
-  default     = "Allow CloudFront to reach the rules bucket."
-  description = "The comment to apply to the CloudFront Origin Access Identity."
+variable "distribution_oac_description" {
+  default     = "Allow CloudFront to read from the rules bucket."
+  description = "The description to apply to the CloudFront Origin Access Control."
+  type        = string
+}
+
+variable "distribution_oac_name" {
+  default     = "rules-s3-distribution"
+  description = "The name for the CloudFront Origin Access Control."
   type        = string
 }