You will need to secure your application and the origin because hackers could bypass CloudFront to access your origin. In this section, we will briefly discuss access control features you can use for restricting access to the origin.

Amazon S3 uses an Origin Access Identity (OAI) to prevent direct access to your Amazon S3 bucket while ensuring performance benefits for all customers. It works by using a pre-shared secret header and limiting access by whitelisting CloudFront only. Hence, only CloudFront can access the Amazon S3 buckets. However, your origin may not be a S3 bucket, therefore you also need the ability to protect a custom origin. In this case, we whitelist the CloudFront IP range and use a pre-shared secret origin header. You can also configure SNS notifications on any changes made to the IP ranges.

More details on IAM including specific commands for our sample application are presented in a later section of this chapter.