Ensure that the origin access identity feature is enabled for all your AWS Cloudfront CDN distributions that utilize an S3 bucket as an origin in order to restrict any direct access to your objects through Amazon S3 URLs.
When your Amazon Cloudfront CDN distributions are using AWS S3 as an origin, the distributions content should be kept private and delivered only via Cloudfront network, using an origin access identity to regulate access. With origin access identity enabled, your Amazon Cloudfront distributions can be much more cost effective if your users access your objects frequently as the price for CloudFront data transfer is lower than the price for S3 data transfer. In addition, downloads are faster when only the CloudFront service is used to deliver your application objects instead of S3 because the objects are copied to all edge locations within the distribution in order to be stored closer to your users.
To determine if origin access identity is enabled for your Cloudfront distributions configured with S3 as origin, perform the following:
To enable origin access identity for your Cloudfront CDN distribution and restrict the user access to the S3 bucket used as origin, perform the following: