Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CloudFront policy to invalidate only specific distrubution

I'm using S3 bucket to store files and CloudFront to distribute them. I have a tool that handles synchronization automatically and it works great.

However, I want to be able to also create CloudFront invalidations programmatically. What statement do I need to add to the tool's policy in order to allow creating invalidation only for this specific distribution?

Right now, I have this statement:

{
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateInvalidation"
    ],
    "Resource": "*"
}

But, as you can see, it allows to create invalidations for any distribution in account.

I've tried to use these values for Resource property, but for some reason the tool gave me an error, saying that access is denied:

  • arn:aws:cloudfront::12345678:distribution/ABCDEFG
  • arn:aws:cloudfront:::distribution/ABCDEFG

What do I need to specify in Resource property in order to allow creation of invalidation only for the specific distribution?

It's ARN is arn:aws:cloudfront::12345678:distribution/ABCDEFG for example.

like image 835
Slava Fomin II Avatar asked Jun 05 '17 16:06

Slava Fomin II


2 Answers

The cloudfront:CreateInvalidation command does not support resource-level permissions. For this reason, only * is supported. Thus, it is not possible to restrict a user/role to only be able to invalidate a specific distribution.

Source: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html

like image 73
Matt Houser Avatar answered Nov 18 '22 08:11

Matt Houser


Now Clodfront supports distribution level permissions with IAM policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "cloudfront:UpdateDistribution",
                "cloudfront:DeleteDistribution",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": "arn:aws:cloudfront::<account_id>:distribution/<distribution_id>"
        }
    ]
}

More details here: https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/access-control-overview.html

like image 14
GraphicalDot Avatar answered Nov 18 '22 09:11

GraphicalDot