Both Origin Access Identity (OAI) and Origin Access Control (OAC) are mechanisms to enhance the security of CloudFront distributions by controlling access to the origin servers. However, they offer distinct approaches and features:
Origin Access Identity (OAI)
- IAM-based Authentication: OAI uses an Identity and Access Management (IAM) Identity to grant CloudFront access to the origin.
- Per-Distribution Control: OAI grants access at the CloudFront distribution level, making it easy to manage access for multiple origins.
- Granular Permissions: OAI allows you to specify specific IAM users or roles who have permission to access the origin.
- No Additional Configuration on Origin: OAI does not require any additional configuration on the origin server.
- Higher Security: OAI provides a higher level of security because the IAM Identity must be explicitly granted access to the origin.
Origin Access Control (OAC)
- SigV4-based Authentication: OAC works by having CloudFront sign requests using AWS Signature Version 4 before forwarding them to the origin.
- IAM Integration: The origin’s resource policy (e.g. an S3 bucket policy) grants access to the CloudFront service principal, removing the need for a separate IAM identity.
- Broader Origin Support: OAC supports a broader range of AWS origins beyond S3, including Lambda function URLs.- No Separate IAM Entity: Unlike OAI, OAC does not require creating and managing a dedicated IAM identity for CloudFront.
- AWS Recommended: AWS deprecated OAI in favour of OAC. OAC is the current recommended approach for securing CloudFront origins.
Recommendations
- Use OAC for:
- All new CloudFront distributions - it is the AWS recommended approach.
- When your origin is not S3. OAC supports a broader range of AWS origins.
- Use OAI for:
- Existing distributions. Specifically, OAI is already in place and migration to OAC has not yet been completed.
