I'm trying to give access to a specific IAM user to a particular Cloudfront distribution. I've tried with this Policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1428659042000",
            "Effect": "Allow",
            "Action":["cloudfront:*"],
            "Resource": [ "arn:aws:cloudfront:E3J2B3GMZI73G0" ]
        }
    ]
}
AWS-IAM Policy checker says the arn is invalid. As per the documentation on IAM restrictions on Cloudfront, AWS doesn't point any example to restrict access to specific Distributions. They always refer to:
"Resource":"*"
Ideas on how to give a particular user access to a concrete Cloudfront Distribution?
To use private content with Amazon CloudFront, you'll need an Amazon CloudFront distribution with private content enabled and a list of authorized accounts you trust to access your private content. From the Create Distribution Wizard in the Amazon CloudFront console, start creating a web distribution.
The following are some ways you can use CloudFront to secure and restrict access to content: Configure HTTPS connections. Prevent users in specific geographic locations from accessing content. Require users to access content using CloudFront signed URLs or signed cookies.
Resource-level AWS Identity and Access Management (IAM) permissions are unfortunately not yet supported by all AWS services, and Amazon CloudFront indeed doesn't as per the overview table in AWS Services That Support IAM, which is also explicitly confirmed within CloudFront Resources:
You use an asterisk (*) as the resource when writing a policy to control access to CloudFront actions. This is because you can't use IAM to control access to specific CloudFront resources. For example, you can't give users access to a specific distribution. Permissions granted using IAM include all the resources you use with CloudFront. Because you cannot specify the resources to control access to, there are no CloudFront resource ARNs (Amazon Resource Names) for you to use in an IAM policy. [...] [emphasis mine]
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With