We are trying to make our web app the most cost effective and secure we can. For that reason we are using Cloudflare instead of CloudFront as a CDN for our frontend resources. We put CloudFront between Cloudflare and S3 to be able to use Full SSL (strict). This is required because we have a subdomain for API Gateway, which needs SSL to avoid infinite loops generated when using Cloudflare Flexibe SSL

The problem is that AWS documentation on connecting S3 with CloudFront for Website hosting instructs on allowing public access to the bucket contents (1), while Cloudflare recommends restricting access to Cloudflare Servers IPs to disallow public requests to the website buckets (2, 3)

Specifically, we want to be able to use Cloudflare free DDoS protection effectively. Such that we avoid potentially high costs related to receiving DDoS attacks directly into our AWS deployed resources, and the need of using other non free services as AWS WAF

So my question is, given an architecture using Cloudflare, CloudFront and S3 website bucket with public access bucket policy, is there a DDoS vulnerability, specifically with respect to CloudFront and S3 not being properly protected by Cloudflare?

2 Answers2


If you're concerned with massive data transfer costs on CloudFront, you would still be vulnerable as CloudFlare can just be circumvented. You'd need to pay for AWS WAF for protecting your CloudFront distribution.

As an alternative, you can ditch CloudFront altogether and serve content from your S3 bucket allowlisting only Cloudflare IPs for s3:getObject, and still have Flexible SSL just for your assets subdomain/path using custom Page Rules:

Edit: Still need to set up public access on your bucket, but access can be restricted by IP


Correct me if there's something that I havent' considered, but if you follow the steps laid out in the section "Using a REST API endpoint as the origin, with access restricted by an OAI" you can serve your static website whithout having to allow public access to the bucket (using Origin Access Identity). I've set up some react applications on S3 served by CloudFront in the past and that is how I did it.

  • As I have been researching, CloudFront OAI imposes an S3 REST endpoint instead of a Website S3 endpoint, which has severe limitations with respect to frontend routing rules the ones we do not feel comfortable taking over at our frontend developement https://sanderknape.com/2020/02/building-a-static-serverless-website-using-s3-cloudfront/ – Matias Haeussler Aug 07 '20 at 15:22