Stay organized with collections
Save and categorize content based on your preferences.
Transfers from Amazon S3 can use an
Amazon CloudFront distribution as an
egress path.
Data transfers through CloudFront may benefit from lower AWS egress costs
compared to transferring directly from S3. See
CloudFront pricing and
S3 egress charges for details.
Create a CloudFront distribution for your S3 bucket
In your AWS account, go to CloudFront.
Click Create a CloudFront distribution.
Under Origin domain select your S3 bucket.
Origin path must be left empty.
Accept the auto-filled Origin name or specify your own value.
In the Origin access section, select Public. This does not make your
bucket public; instead it indicates to CloudFront that no access mechanism
should be configured.
In the Cache key and origin requests section:
For Cache policy select CachingDisabled. This prevents CloudFront
from caching requests and serving them to unauthenticated viewers.
For Origin request policy select AllViewerExceptHostHeader. This
allows CloudFront to forward authentication headers to S3, so that
Storage Transfer Service can access your bucket with your secure credentials.
In the Web Application Firewall (WAF) section, select Do not enable.
Optionally, choose a Price class. Storage Transfer Service selects worker pools
based on the source bucket's region, so CloudFront pricing is incurred in
that region. To obtain the lowest pricing, either ensure that your source
bucket is in the US or Europe, or select Use only North America and Europe
as the Price class in CloudFront.
Click Create CloudFront distribution.
Once successfully created, the CloudFront distribution details page is
displayed.
Note the Distribution domain name. For example:
https://dy1h2n3l4ob56.cloudfront.net. If the details page doesn't include
the https:// protocol in front of the distribution domain name, you'll need
to add it yourself when creating the transfer job.
Create a transfer job
Transferring via a CloudFront distribution is supported in the Google Cloud console
and the REST API.
Don't include sensitive information such as personally identifiable information
(PII) or security data in your transfer job name. Resource names may be
propagated to the names of other Google Cloud resources and may be exposed
to Google-internal systems outside of your project.
Google Cloud console
To create a transfer using a the Google Cloud console, follow the
instructions to
create a transfer.
When prompted to enter the CloudFront domain, enter the distribution
domain name you noted in the previous section. You can also find this value
listed in the CloudFront section of the Amazon Web Services console. It has
the format https://dy1h2n3l4ob56.cloudfront.net.
REST API
To create a transfer using the REST API, follow the example on the
Create transfers
page.
Specify the distribution domain name as the value of the
transferSpec.awsS3DataSource.cloudfrontDomain field:
Does using CloudFront expose my objects to the public?
No. If you've followed the configuration steps on this page, your objects are
not exposed to the public.
Cloudfront does not have direct access to your S3 objects.
Users receive a permission denied error if they try to access your objects
either directly or through CloudFront (if your bucket is private).
Storage Transfer Service signs requests to CloudFront using the credentials you
provided in the transfer job, which allows us to download your objects
securely as if we were downloading directly from S3. This works due to the
header forwarding setting AllViewerExceptHostHeader.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Transfer from S3 via CloudFront\n\nTransfers from Amazon S3 can use an\n[Amazon CloudFront](https://aws.amazon.com/cloudfront/) distribution as an\negress path.\n\nData transfers through CloudFront may benefit from lower AWS egress costs\ncompared to transferring directly from S3. See\n[CloudFront pricing](https://aws.amazon.com/cloudfront/pricing/) and\n[S3 egress charges](https://aws.amazon.com/s3/pricing/) for details.\n\nUsing CloudFront as the egress path does not expose your S3 objects to the\npublic. See\n[Does using CloudFront expose my objects to the public?](#does_cloudfront_expose_objects)\n\nOverview\n--------\n\nIn order to transfer S3 data through CloudFront, you must follow these steps:\n\n- [Configure IAM permissions](#iam)\n- [Configure access to your S3 bucket](#s3-access)\n- [Create a CloudFront distribution for your S3 bucket](#create-cf)\n- [Create a transfer job](#create-job)\n\nConfigure IAM permissions\n-------------------------\n\nFollow the instructions in\n[Agentless transfer permissions](/storage-transfer/docs/iam-cloud) to grant the\nrequired Google Cloud permissions.\n\nConfigure access to your S3 bucket\n----------------------------------\n\nFollow the instructions in\n[Configure access to a source: Amazon S3](/storage-transfer/docs/source-amazon-s3)\nto configure access to your data in Amazon S3.\n\nCreate a CloudFront distribution for your S3 bucket\n---------------------------------------------------\n\n1. In your AWS account, go to **CloudFront**.\n2. Click **Create a CloudFront distribution**.\n3. Under **Origin domain** select your S3 bucket.\n4. **Origin path** must be left empty.\n5. Accept the auto-filled **Origin name** or specify your own value.\n6. In the **Origin access** section, select *Public*. This does not make your bucket public; instead it indicates to CloudFront that no access mechanism should be configured.\n7. In the **Cache key and origin requests** section:\n 1. For **Cache policy** select *CachingDisabled*. This prevents CloudFront from caching requests and serving them to unauthenticated viewers.\n 2. For **Origin request policy** select *AllViewerExceptHostHeader*. This allows CloudFront to forward authentication headers to S3, so that Storage Transfer Service can access your bucket with your secure credentials.\n8. In the **Web Application Firewall (WAF)** section, select *Do not enable*.\n9. Optionally, choose a **Price class** . Storage Transfer Service selects worker pools based on the source bucket's region, so CloudFront pricing is incurred in that region. To obtain the lowest pricing, either ensure that your source bucket is in the US or Europe, or select *Use only North America and Europe* as the **Price class** in CloudFront.\n10. Click **Create CloudFront distribution**.\n\n Once successfully created, the CloudFront distribution details page is\n displayed.\n11. Note the **Distribution domain name** . For example:\n `https://dy1h2n3l4ob56.cloudfront.net`. If the details page doesn't include\n the `https://` protocol in front of the distribution domain name, you'll need\n to add it yourself when creating the transfer job.\n\nCreate a transfer job\n---------------------\n\nTransferring via a CloudFront distribution is supported in the Google Cloud console\nand the REST API.\nDon't include sensitive information such as personally identifiable information (PII) or security data in your transfer job name. Resource names may be propagated to the names of other Google Cloud resources and may be exposed to Google-internal systems outside of your project.\n\n\u003cbr /\u003e\n\n### Google Cloud console\n\nTo create a transfer using a the Google Cloud console, follow the\ninstructions to\n[create a transfer](/storage-transfer/docs/create-transfers?tab=google-cloud-console#create_a_transfer).\n\nWhen prompted to enter the **CloudFront domain** , enter the distribution\ndomain name you noted in the previous section. You can also find this value\nlisted in the CloudFront section of the Amazon Web Services console. It has\nthe format `https://dy1h2n3l4ob56.cloudfront.net`.\n\n### REST API\n\nTo create a transfer using the REST API, follow the example on the\n[Create transfers](/storage-transfer/docs/create-transfers?tab=rest#s3-to-cloud)\npage.\n\nSpecify the distribution domain name as the value of the\n`transferSpec.awsS3DataSource.cloudfrontDomain` field: \n\n \"transferSpec\": {\n \"awsS3DataSource\": {\n \"bucketName\": \"AWS_SOURCE_NAME\",\n \"cloudfrontDomain\": \"https://dy1h2n3l4ob56.cloudfront.net\",\n \"awsAccessKey\": {\n \"accessKeyId\": \"AWS_ACCESS_KEY_ID\",\n \"secretAccessKey\": \"AWS_SECRET_ACCESS_KEY\"\n }\n },\n ...\n }\n\nFrequently asked questions\n--------------------------\n\n### Does using CloudFront expose my objects to the public?\n\nNo. If you've followed the configuration steps on this page, your objects are\nnot exposed to the public.\n\n- Cloudfront does not have direct access to your S3 objects.\n- Users receive a `permission denied` error if they try to access your objects either directly or through CloudFront (if your bucket is private).\n- Storage Transfer Service signs requests to CloudFront using the credentials you provided in the transfer job, which allows us to download your objects securely as if we were downloading directly from S3. This works due to the header forwarding setting `AllViewerExceptHostHeader`."]]
