It’s not something we’ve investigated thoroughly yet, I’ll add it to our Docs todo list.
However, from what I can tell, and customers have told us, as long as you treat all objects as “private” then WP Offload Media will be requesting objects in a manner that works with server-side default encryption. The key there is that the signed URLs used for “private” media is an authenticated access that enables S3 to do its thing.
That **might** mean if you follow the guide for setting up Block All Public Access you **might** get roughly the same results as CloudFront has to be given access? ¯\_(ツ)_/¯
https://deliciousbrains.com/wp-offload-media/doc/cloudfront-setup/#block-public-access
If that doesn’t work out, you could try treating all media as “private”, which isn’t great with WP Offload Media Lite as it doesn’t support signed CloudFront URLs like WP Offload Media does. Without signed CloudFront URLs you’re hitting S3 directly and incurring request charges, eventually.
https://deliciousbrains.com/wp-offload-media/doc/serve-private-media-signed-cloudfront-urls/
Let us know how you get on!
-IJ
Thanks for this.
We won’t be able to make all of our items private, I’m afraid. But this does tell us what we need to know, which we appreciate very much.
-K
Excellent, glad I could help!
-IJ
