Stay organized with collectionsSave and categorize content based on your preferences.
Transfers from Amazon S3 can use anAmazon CloudFrontdistribution as an
egress path.
Data transfers through CloudFront may benefit from lower AWS egress costs
compared to transferring directly from S3. SeeCloudFront pricingandS3 egress chargesfor details.
Create a CloudFront distribution for your S3 bucket
In your AWS account, go toCloudFront.
ClickCreate a CloudFront distribution.
UnderOrigin domainselect your S3 bucket.
Origin pathmust be left empty.
Accept the auto-filledOrigin nameor specify your own value.
In theOrigin accesssection, selectPublic. This does not make your
bucket public; instead it indicates to CloudFront that no access mechanism
should be configured.
In theCache key and origin requestssection:
ForCache policyselectCachingDisabled. This prevents CloudFront
from caching requests and serving them to unauthenticated viewers.
ForOrigin request policyselectAllViewerExceptHostHeader. This
allows CloudFront to forward authentication headers to S3, so that
Storage Transfer Service can access your bucket with your secure credentials.
In theWeb Application Firewall (WAF)section, selectDo not enable.
Optionally, choose aPrice class. Storage Transfer Service selects worker pools
based on the source bucket's region, so CloudFront pricing is incurred in
that region. To obtain the lowest pricing, either ensure that your source
bucket is in the US or Europe, or selectUse only North America and Europeas thePrice classin CloudFront.
ClickCreate CloudFront distribution.
Once successfully created, the CloudFront distribution details page is
displayed.
Note theDistribution domain name. For example:https://dy1h2n3l4ob56.cloudfront.net. If the details page doesn't include
thehttps://protocol in front of the distribution domain name, you'll need
to add it yourself when creating the transfer job.
Create a transfer job
Transferring via a CloudFront distribution is supported in the Google Cloud console
and the REST API.
Don't include sensitive information such as personally identifiable information
(PII) or security data in your transfer job name. Resource names may be
propagated to the names of other Google Cloud resources and may be exposed
to Google-internal systems outside of your project.
Google Cloud console
To create a transfer using a the Google Cloud console, follow the
instructions tocreate a transfer.
When prompted to enter theCloudFront domain, enter the distribution
domain name you noted in the previous section. You can also find this value
listed in the CloudFront section of the Amazon Web Services console. It has
the formathttps://dy1h2n3l4ob56.cloudfront.net.
REST API
To create a transfer using the REST API, follow the example on theCreate transferspage.
Specify the distribution domain name as the value of thetransferSpec.awsS3DataSource.cloudfrontDomainfield:
Does using CloudFront expose my objects to the public?
No. If you've followed the configuration steps on this page, your objects are
not exposed to the public.
Cloudfront does not have direct access to your S3 objects.
Users receive apermission deniederror if they try to access your objects
either directly or through CloudFront (if your bucket is private).
Storage Transfer Service signs requests to CloudFront using the credentials you
provided in the transfer job, which allows us to download your objects
securely as if we were downloading directly from S3. This works due to the
header forwarding settingAllViewerExceptHostHeader.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Transfer from S3 via CloudFront\n\nTransfers from Amazon S3 can use an\n[Amazon CloudFront](https://aws.amazon.com/cloudfront/) distribution as an\negress path.\n\nData transfers through CloudFront may benefit from lower AWS egress costs\ncompared to transferring directly from S3. See\n[CloudFront pricing](https://aws.amazon.com/cloudfront/pricing/) and\n[S3 egress charges](https://aws.amazon.com/s3/pricing/) for details.\n\nUsing CloudFront as the egress path does not expose your S3 objects to the\npublic. See\n[Does using CloudFront expose my objects to the public?](#does_cloudfront_expose_objects)\n\nOverview\n--------\n\nIn order to transfer S3 data through CloudFront, you must follow these steps:\n\n- [Configure IAM permissions](#iam)\n- [Configure access to your S3 bucket](#s3-access)\n- [Create a CloudFront distribution for your S3 bucket](#create-cf)\n- [Create a transfer job](#create-job)\n\nConfigure IAM permissions\n-------------------------\n\nFollow the instructions in\n[Agentless transfer permissions](/storage-transfer/docs/iam-cloud) to grant the\nrequired Google Cloud permissions.\n\nConfigure access to your S3 bucket\n----------------------------------\n\nFollow the instructions in\n[Configure access to a source: Amazon S3](/storage-transfer/docs/source-amazon-s3)\nto configure access to your data in Amazon S3.\n\nCreate a CloudFront distribution for your S3 bucket\n---------------------------------------------------\n\n1. In your AWS account, go to **CloudFront**.\n2. Click **Create a CloudFront distribution**.\n3. Under **Origin domain** select your S3 bucket.\n4. **Origin path** must be left empty.\n5. Accept the auto-filled **Origin name** or specify your own value.\n6. In the **Origin access** section, select *Public*. This does not make your bucket public; instead it indicates to CloudFront that no access mechanism should be configured.\n7. In the **Cache key and origin requests** section:\n 1. For **Cache policy** select *CachingDisabled*. This prevents CloudFront from caching requests and serving them to unauthenticated viewers.\n 2. For **Origin request policy** select *AllViewerExceptHostHeader*. This allows CloudFront to forward authentication headers to S3, so that Storage Transfer Service can access your bucket with your secure credentials.\n8. In the **Web Application Firewall (WAF)** section, select *Do not enable*.\n9. Optionally, choose a **Price class** . Storage Transfer Service selects worker pools based on the source bucket's region, so CloudFront pricing is incurred in that region. To obtain the lowest pricing, either ensure that your source bucket is in the US or Europe, or select *Use only North America and Europe* as the **Price class** in CloudFront.\n10. Click **Create CloudFront distribution**.\n\n Once successfully created, the CloudFront distribution details page is\n displayed.\n11. Note the **Distribution domain name** . For example:\n `https://dy1h2n3l4ob56.cloudfront.net`. If the details page doesn't include\n the `https://` protocol in front of the distribution domain name, you'll need\n to add it yourself when creating the transfer job.\n\nCreate a transfer job\n---------------------\n\nTransferring via a CloudFront distribution is supported in the Google Cloud console\nand the REST API.\nDon't include sensitive information such as personally identifiable information (PII) or security data in your transfer job name. Resource names may be propagated to the names of other Google Cloud resources and may be exposed to Google-internal systems outside of your project.\n\n\u003cbr /\u003e\n\n### Google Cloud console\n\nTo create a transfer using a the Google Cloud console, follow the\ninstructions to\n[create a transfer](/storage-transfer/docs/create-transfers?tab=google-cloud-console#create_a_transfer).\n\nWhen prompted to enter the **CloudFront domain** , enter the distribution\ndomain name you noted in the previous section. You can also find this value\nlisted in the CloudFront section of the Amazon Web Services console. It has\nthe format `https://dy1h2n3l4ob56.cloudfront.net`.\n\n### REST API\n\nTo create a transfer using the REST API, follow the example on the\n[Create transfers](/storage-transfer/docs/create-transfers?tab=rest#s3-to-cloud)\npage.\n\nSpecify the distribution domain name as the value of the\n`transferSpec.awsS3DataSource.cloudfrontDomain` field: \n\n \"transferSpec\": {\n \"awsS3DataSource\": {\n \"bucketName\": \"AWS_SOURCE_NAME\",\n \"cloudfrontDomain\": \"https://dy1h2n3l4ob56.cloudfront.net\",\n \"awsAccessKey\": {\n \"accessKeyId\": \"AWS_ACCESS_KEY_ID\",\n \"secretAccessKey\": \"AWS_SECRET_ACCESS_KEY\"\n }\n },\n ...\n }\n\nFrequently asked questions\n--------------------------\n\n### Does using CloudFront expose my objects to the public?\n\nNo. If you've followed the configuration steps on this page, your objects are\nnot exposed to the public.\n\n- Cloudfront does not have direct access to your S3 objects.\n- Users receive a `permission denied` error if they try to access your objects either directly or through CloudFront (if your bucket is private).\n- Storage Transfer Service signs requests to CloudFront using the credentials you provided in the transfer job, which allows us to download your objects securely as if we were downloading directly from S3. This works due to the header forwarding setting `AllViewerExceptHostHeader`."]]
