Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Support CloudFront OAC #392

Merged
merged 3 commits into from
Apr 19, 2024
Merged

Support CloudFront OAC #392

merged 3 commits into from
Apr 19, 2024

Conversation

fujiwara
Copy link
Owner

@fujiwara fujiwara commented Apr 12, 2024

CloudFront OAC requires SourceArn support.

https://aws.amazon.com/jp/about-aws/whats-new/2024/04/amazon-cloudfront-oac-lambda-function-url-origins/

Starting today, customers can protect their AWS Lambda URL origins by using CloudFront Origin Access Control (OAC) to only allow access from designated CloudFront distributions.

CloudFront origin access control (OAC) support

CloudFront provides origin access control (OAC) for restricting access to a Lambda function URL origin.

When you want to restrict access to a Lambda function URL origin by CloudFront, you can specify Principal as cloudfront.amazonaws.com and SourceArn as the ARN of the CloudFront distribution.

See also Restricting access to an AWS Lambda function URL origin.

{
  "Config": {
    "AuthType": "AWS_IAM",
  },
  "Permissions": [
    {
      "Principal": "cloudfront.amazonaws.com",
      "SourceArn": "arn:aws:cloudfront::123456789012:distribution/EXXXXXXXX"
    }
  ]
}

If you need to allow access from any CloudFront distributions in your account, you can specify SourceArn as arn:aws:cloudfront::123456789012:distribution/*.

CloudFront OAC requires SourceArn support.
`SourceArn` as `*` is not recommended.
@fujiwara fujiwara merged commit 2d552f1 into v1 Apr 19, 2024
4 checks passed
@fujiwara fujiwara deleted the feature/cloudfront-oac branch April 19, 2024 08:48
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant