Step 3: Create a CloudFront distribution that uses an Amazon S3 origin with OAC - Amazon CloudFront
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 3: Create a CloudFront distribution that uses an Amazon S3 origin with OAC

For this tutorial, you will create a CloudFront distribution that uses an Amazon S3 origin with origin access control (OAC). OAC helps you securely send authenticated requests to your Amazon S3 origin. For more information about OAC, see Restricting access to an Amazon Simple Storage Service origin.

To create a CloudFront distribution with an Amazon S3 origin that uses OAC

  1. Open the CloudFront console at https://console.amazonaws.cn/cloudfront/v4/home.

  2. Choose Create distribution.

  3. For Origin, Origin domain, choose the S3 bucket that you created for this tutorial.

  4. For Origin, Origin access, select Origin access control settings (recommended).

  5. For Origin access control, choose Create new OAC.

  6. In the Create new OAC pane, keep the default settings and choose Create.

  7. For Web Application Firewall (WAF), select one of the options.

  8. For all other sections and settings, accept the default values. For more information about these options, see Distribution settings.

  9. Choose Create distribution.

  10. In The S3 bucket policy needs to be updated banner, read the message and choose Copy policy.

  11. In the same banner, choose the link to Go to S3 bucket permissions to update policy. (This takes you to your bucket detail page in the Amazon S3 console.)

  12. For Bucket policy, choose Edit.

  13. In the Edit statement field, paste the policy that you copied in step 10.

  14. Choose Save changes.

  15. Return to the CloudFront console and review the Details section for your new distribution. When your distribution is done deploying, the Last modified field changes from Deploying to a date and time.

  16. Record the domain name that CloudFront assigns to your distribution. It looks similar to the following: d111111abcdef8.cloudfront.net.

Before using the distribution and S3 bucket from this tutorial in a production environment, make sure to configure it to meet your specific needs. For information about configuring access in a production environment, see Configuring secure access and restricting access to content.