Control: 2 CloudFront distributions should have origin access identity enabled
This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.
CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.
For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution.
steampipe check aws_compliance.control.foundational_security_cloudfront_2
This control uses a named query:cloudfront_distribution_origin_access_identity_enabled