Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Creating an S3 bucket policy that allows access to Cloudfront but restricts access to anyone else

Tags:

amazon-s3

amazon-cloudfront

I have the following policy: 

{         "Version": "2008-10-17",         "Id": "PolicyForCloudFrontPrivateContent",         "Statement": [             {                 "Sid": "Stmt1395852960432",                 "Action": "s3:*",                 "Effect": "Deny",                 "Resource": "arn:aws:s3:::my-bucket/*",                 "Principal": {                     "AWS": [                         "*"                     ]                 }             },             {                 "Sid": "1",                 "Effect": "Allow",                 "Principal": {                     "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN"                 },                 "Action": "s3:GetObject",                 "Resource": "arn:aws:s3:::my-bucket/*"             }         ]     }

However, this is denying requests from all requestors, even Cloudfront. What is the correct way to do this?

The problem is that objects are created by the client with public read. I currently do not have immediate control of the client to change this setting. So what I want is to have a policy that overrides individual object ACL. So default deny here does not work.

like image 630
Snowman Avatar asked Mar 26 '14 17:03

Snowman

People also ask

How do I restrict access to content delivered in CloudFront?

1 Answer. You can restrict the access of contents delivered in CloudFront using origin access identity, bucket policy and IAM. We can directly implement using origin access identity but the AWS S3 bucket is used as the origin for CloudFront distribution, it either allows public access, or restricts them.

Can CloudFront access a private S3 bucket?

You can give a CloudFront OAI access to files in an Amazon S3 bucket by creating or updating the bucket policy in the following ways: Using the Amazon S3 bucket's Permissions tab in the Amazon S3 console .

2 Answers

The S3 policy will look like something like this:

{ "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [     {         "Sid": "1",         "Effect": "Allow",         "Principal": {             "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"         },         "Action": "s3:GetObject",         "Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"     }  ] }

But, I didnt manually generate this. When you add an origin (S3) in cloudfront, you have an option to "Restrict Bucket Access" - tell "Yes" here and move forward. Cloudfront configuration will do the rest automatically for you.

Details here: Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content - Amazon CloudFront.

like image 111
Sony Kadavan Avatar answered Sep 30 '22 21:09

Sony Kadavan

This is what you're looking for. Replace XXXXXXXXXXXXXX with you origin access id

{ "Version": "2012-10-17", "Statement": [     {         "Sid": "AddPerm",         "Effect": "Deny",         "NotPrincipal": {             "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"         },         "Action": "s3:GetObject",         "Resource": "arn:aws:s3:::your.bucket.com/*"     },     {         "Sid": "2",         "Effect": "Allow",         "Principal": {             "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"         },         "Action": "s3:GetObject",         "Resource": "arn:aws:s3:::your.bucket.com/*"     } ] }
like image 40
Panagiotis Sakellariou Avatar answered Sep 30 '22 22:09

Panagiotis Sakellariou
Sign in to Comment

Related questions

Fastest way to sync two Amazon S3 buckets
How secure are Amazon AWS Access keys?
Creating a folder via s3cmd (Amazon S3)
Restricting S3 bucket access to a VPC
Getting error "fork/exec /var/task/main: no such file or directory" while executing aws-lambda function
Can't delete directory from Amazon S3
How to scp to Amazon s3?
Terraform: How to migrate state between projects?
How do I use shell script to check if a bucket exists?
Sharp image library rotates image when resizing?
Amazon S3 copyObject permission
Reading multiple files from S3 in Spark by date period
Why Amazon S3 bucket name must be the same as website name when hosting a static website
Does Amazon S3's HTTP Uploads feature support web-hook style callbacks?
Can I run my static website from an S3 Bucket, and add password protection?
Need help deciding between EBS vs S3 on Amazon Web Services
How can I create a one time download link with Amazon S3?
AWS S3 local server for integration testing
How do you full text search an amazon s3 bucket?
Ideal value for Kafka Connect Distributed tasks.max configuration setting?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!