AWSGlossary

CloudFront Origin Access Control (OAC): What It Is and When to Use It

Definition

Amazon CloudFront Origin Access Control (OAC) is a security feature that restricts access to your Amazon S3 bucket origins, ensuring that content is only served through your specified CloudFront distributions and not directly from the S3 bucket URL. It enhances security by using an AWS Identity and Access Management (IAM) service principal, which enables short-term credentials, frequent credential rotation, and stronger protection against attacks like the "confused deputy" problem.

How It Works

OAC replaces the legacy Origin Access Identity (OAI) method with a more robust and flexible mechanism based on modern AWS security best practices.

Here's the typical request flow and architecture:

  1. Configuration: You create an OAC in the CloudFront console and associate it with an S3 origin in your CloudFront distribution. CloudFront provides a corresponding S3 bucket policy that you must apply to your origin bucket.
  2. IAM Service Principal: The OAC acts as an IAM service principal (cloudfront.amazonaws.com). The S3 bucket policy grants this principal s3:GetObject permissions (and other permissions like s3:PutObject if needed).
  3. Request Signing: When a viewer requests content, the request hits a CloudFront edge location. If the content isn't cached, CloudFront forwards the request to the S3 origin. As part of this process, CloudFront signs the request using AWS Signature Version 4 (SigV4).
  4. Authorization at Origin: Amazon S3 receives the signed request. It evaluates the bucket policy, verifies the signature, and confirms that the request is from the authorized CloudFront service principal and is associated with your specific distribution ARN (using the AWS:SourceArn condition). If the authorization succeeds, S3 returns the object to CloudFront, which then serves it to the viewer.

This architecture ensures that even if someone discovers your S3 bucket's name, they cannot access its content directly. All requests must be proxied and signed by the authorized CloudFront distribution.

Key Features and Limits

  • Enhanced Security: OAC uses temporary credentials that are frequently rotated, providing a stronger security posture than the static credentials used by the legacy OAI system.
  • Support for SSE-KMS: OAC natively supports accessing S3 objects encrypted with Server-Side Encryption with AWS Key Management Service (SSE-KMS), a significant limitation of OAI. You must grant the CloudFront service principal permissions to use the KMS key in the key's policy.
  • Full HTTP Methods Support: OAC supports all HTTP methods, including dynamic requests like PUT, POST, and DELETE, allowing you to build applications that upload content through CloudFront to a private S3 bucket.
  • Global Region Support: OAC works with S3 buckets in all AWS Regions, including new Regions launched after December 2022, whereas OAI is not supported in these newer regions.
  • Granular Policy Control: By leveraging IAM principles, OAC allows for more detailed and resource-specific policies, offering better protection against confused deputy vulnerabilities.
  • Service Quotas: By default, you can create up to 100 Origin Access Controls per AWS account. This is a soft limit that can be increased upon request.

Common Use Cases

  1. Serving Private Media and Documents: Securely deliver private content like video-on-demand (VOD) assets, confidential corporate documents, or paid software downloads. OAC ensures users can only access these files through CloudFront, allowing you to layer on other controls like signed URLs or signed cookies.
  2. Securing Web Assets: For a static website hosted on S3, OAC is the recommended best practice to lock down the origin bucket. This forces all traffic through CloudFront, where you can apply AWS WAF (Web Application Firewall) rules, perform TLS termination, and benefit from edge caching.
  3. Handling Encrypted Data: When your S3 bucket contains data encrypted with customer-managed KMS keys (SSE-KMS) for compliance or security reasons, OAC is the only native way for CloudFront to access this content securely.
  4. Enabling Secure Content Uploads: For web applications that allow users to upload files, you can configure a CloudFront behavior to accept PUT or POST requests and use OAC to securely write those objects to the destination S3 bucket without exposing the bucket publicly.

Pricing Model

Origin Access Control (OAC) is a feature of Amazon CloudFront and is provided at no additional charge.

However, you will still incur standard charges for the related AWS services:

  • Amazon CloudFront: You are billed for data transfer out to the internet and per-request fees.
  • Amazon S3: You are billed for storage, data transfer from S3 to CloudFront, and requests made by CloudFront to your S3 origin.

AWS offers a free tier for both CloudFront and S3. For detailed pricing, consult the AWS Pricing Calculator.

Pros and Cons

Pros:

  • Superior Security: Implements modern IAM best practices, including temporary, rotating credentials and SigV4 signing.
  • Full Feature Support: Unlocks key features that were limitations in OAI, such as SSE-KMS support and full HTTP method compatibility.
  • Future-Proof: Works in all current and future AWS Regions, making it the standard for new deployments.
  • Easy Migration: AWS provides a straightforward migration path from the legacy OAI to OAC, often achievable with a few clicks in the console.

Cons:

  • S3-Only: OAC is designed specifically for securing Amazon S3 origins. It cannot be used to authenticate requests to other origin types like EC2 instances or Application Load Balancers.
  • Configuration Overhead: While more secure, it requires correctly configuring both the CloudFront distribution and the S3 bucket policy. A misconfiguration can lead to access denied errors.

Comparison with Alternatives

OAC vs. Origin Access Identity (OAI)

OAC is the direct successor to OAI and is recommended by AWS for all use cases.

| Feature | CloudFront Origin Access Control (OAC) | CloudFront Origin Access Identity (OAI) (Legacy) | | :--- | :--- | :--- | | Security Model | IAM Service Principal with SigV4 | Special CloudFront user with static credentials | | SSE-KMS Support | Yes (Native) | No (Requires complex workarounds like Lambda@Edge) | | HTTP Methods | GET, HEAD, PUT, POST, PATCH, DELETE, OPTIONS | Primarily GET, HEAD. POST/PUT had limitations. | | AWS Regions | All current and future Regions | Only Regions launched before December 2022 | | Confused Deputy Protection | Stronger, via AWS:SourceArn condition | Weaker | | Recommendation | Recommended for all new configurations | Legacy; migrate to OAC when possible |

OAC vs. Signed URLs/Cookies

OAC and Signed URLs/Cookies solve different problems and are often used together.

  • OAC: Secures the connection between CloudFront and the S3 origin.
  • Signed URLs/Cookies: Secures the connection between the end-user (viewer) and CloudFront. They are used to provide time-limited, private access to individual files for specific users.

Exam Relevance

CloudFront Origin Access Control is a key topic in several AWS certification exams, particularly those focused on architecture, security, and networking.

  • AWS Certified Solutions Architect – Associate (SAA-C03): Candidates are expected to know how to secure an S3 origin for a CloudFront distribution and understand the benefits of OAC over OAI.
  • AWS Certified Security – Specialty (SCS-C03): This exam requires a deeper understanding of the security mechanisms. Questions may focus on the benefits of SigV4, protection against the confused deputy problem, and the correct IAM and KMS policies needed to grant access for SSE-KMS encrypted objects.
  • AWS Certified Advanced Networking – Specialty (ANS-C01): While focused on networking, this exam covers content delivery and security at the edge, making OAC a relevant topic.

For all exams, you should know that OAC is the modern, recommended best practice for restricting S3 origin access.

Frequently Asked Questions

Q: What is the main difference between CloudFront OAC and OAI?

A: The primary difference is the security model. OAC uses a modern IAM service principal with temporary, SigV4-signed credentials, while the legacy OAI uses a special CloudFront user with long-lived credentials. This change allows OAC to support critical features that OAI cannot, such as accessing S3 objects encrypted with SSE-KMS, using all HTTP methods (PUT, DELETE), and operating in all AWS Regions.

Q: Do I need to migrate my existing distributions from OAI to OAC?

A: While distributions using OAI will continue to function, AWS strongly recommends migrating to OAC to take advantage of its enhanced security and features. The migration process is well-documented and can be done with minimal to no downtime by temporarily updating the S3 bucket policy to allow access from both the old OAI and the new OAC during the transition.

Q: Can I use OAC with origins other than Amazon S3?

A: No. Origin Access Control is designed exclusively to secure access to Amazon S3 bucket origins. For other AWS origins like Application Load Balancers or Lambda Function URLs, you must use different methods to restrict access, such as setting custom headers in CloudFront and validating them at the origin, or using security groups and network ACLs.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/14/2026 / Updated: 5/14/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

API Gateway WebSocket API: Real-Time Apps Made Easy

API Gateway WebSocket API is a managed AWS service for persistent, bidirectional communication. Simplify real-time apps with Lambda. Learn when to use it.

API Gateway REST vs HTTP: How It Works & When to Use It

Amazon API Gateway offers REST APIs and HTTP APIs. Understand their differences, features, and pricing to choose the right one for your needs. Learn when to choose it.

AWS Global Accelerator: Improve App Performance & Availability

AWS Global Accelerator improves application availability and performance for users worldwide. Get static IPs, optimize traffic routing. Learn when to use it.

AWS Data Transfer Costs: The Hidden Bill Explained (2026 Guide)

AWS data transfer pricing decoded: internet egress, cross-AZ, cross-region, NAT Gateway, VPC peering, CloudFront, and public IPv4. Avoid surprise bills with this guide.

CloudFront Signed URLs: Secure Private Content Access

CloudFront Signed URLs provide temporary, secure access to private content via CloudFront CDN. Protect paid media, docs, or downloads. Learn how to use them.

View all Networking terms →