Menu
I have the following policy:
{ "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "Stmt1395852960432", "Action": "s3:*", "Effect": "Deny", "Resource": "arn:aws:s3:::my-bucket/*", "Principal": { "AWS": [ "*" ] } }, { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*" } ] } However, this is denying requests from all requestors, even Cloudfront. What is the correct way to do this?
The problem is that objects are created by the client with public read. I currently do not have immediate control of the client to change this setting. So what I want is to have a policy that overrides individual object ACL. So default deny here does not work.
630
1 Answer. You can restrict the access of contents delivered in CloudFront using origin access identity, bucket policy and IAM. We can directly implement using origin access identity but the AWS S3 bucket is used as the origin for CloudFront distribution, it either allows public access, or restricts them.
You can give a CloudFront OAI access to files in an Amazon S3 bucket by creating or updating the bucket policy in the following ways: Using the Amazon S3 bucket's Permissions tab in the Amazon S3 console .
The S3 policy will look like something like this:
{ "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*" } ] } But, I didnt manually generate this. When you add an origin (S3) in cloudfront, you have an option to "Restrict Bucket Access" - tell "Yes" here and move forward. Cloudfront configuration will do the rest automatically for you.
Details here: Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content - Amazon CloudFront.
111
This is what you're looking for. Replace XXXXXXXXXXXXXX with you origin access id
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AddPerm", "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::your.bucket.com/*" }, { "Sid": "2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::your.bucket.com/*" } ] } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
