Related question, anyone know how to grant access to S3 objects via CloudFront only, since CloudFront bandwidth usage is cheaper than S3 objects accessed directly?
I've got it working for top level documents using Origin Access Identity, but subfolders (example.com/test/index.html) doesn't work. I'm surprised this use case isn't better documented because it saves you money and you don't need to make your bucket public.
Depending on where your original bucket is hosted, it is very possible that CloudFront ends up costing more in data transfer.
For instance, a us-east-1 bucket has a data transfer rate to the internet starting at $0.09/GB. That's flat, regardless of where the requester is located.
On the other hand, while US- and Europe-based transfer pricing is cheaper in CloudFront (starting at $0.085/GB), all the other regions are more expensive... for example, South America starts at $0.25/GB (!).
Of course the reverse is true: a bucket originally hosted in South America would probably do well to enable CloudFront, as requests from every other region become cheaper...
And yet another wrinkle, I think CloudFront always is cheaper than S3 eventually (with enough data usage). So for very large customers, maybe it is true that CloudFront will always be cheaper. Clear as mud.
I've got it working for top level documents using Origin Access Identity, but subfolders (example.com/test/index.html) doesn't work. I'm surprised this use case isn't better documented because it saves you money and you don't need to make your bucket public.