From c352d43605a42d557fffbc59d976c7a2500a43f0 Mon Sep 17 00:00:00 2001
From: Daisuke <nakada0907@outlook.com>
Date: Tue, 13 May 2025 20:29:03 +0900
Subject: [PATCH] feat: add an origin access control

---
 template-cloudfront.yaml | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/template-cloudfront.yaml b/template-cloudfront.yaml
index 0c60701..8d5b26a 100644
--- a/template-cloudfront.yaml
+++ b/template-cloudfront.yaml
@@ -7,6 +7,16 @@ Parameters:
     Default: "naputo-blog-public"
 
 Resources:
+
+  BlogOriginAccessControl:
+    Type: AWS::CloudFront::OriginAccessControl
+    Properties:
+      OriginAccessControlConfig:
+        Name: "MyBlogOAC"
+        OriginAccessControlOriginType: s3
+        SigningBehavior: always
+        SigningProtocol: sigv4
+
   BlogCloudFrontDistribution:
     Type: AWS::CloudFront::Distribution
     Properties:
@@ -14,11 +24,9 @@ Resources:
         Enabled: true
         Origins:
           - Id: S3WebsiteOrigin
-            DomainName: !Sub "${WebsiteBucketName}.s3-website-${AWS::Region}.amazonaws.com"
-            CustomOriginConfig:
-              HTTPPort: 80
-              HTTPSPort: 80
-              OriginProtocolPolicy: http-only
+            DomainName: !Sub "${WebsiteBucketName}.s3.amazonaws.com"
+            OriginAccessControlId: !Ref BlogOriginAccessControl
+            S3OriginConfig: {}
         DefaultCacheBehavior:
           TargetOriginId: S3WebsiteOrigin
           ViewerProtocolPolicy: redirect-to-https