Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Restrict access to a particular Cloudfront distribution using IAM

Tags:

amazon-web-services

amazon-cloudfront

amazon-iam

I'm trying to give access to a specific IAM user to a particular Cloudfront distribution. I've tried with this Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1428659042000",
            "Effect": "Allow",
            "Action":["cloudfront:*"],
            "Resource": [ "arn:aws:cloudfront:E3J2B3GMZI73G0" ]
        }
    ]
}

AWS-IAM Policy checker says the arn is invalid. As per the documentation on IAM restrictions on Cloudfront, AWS doesn't point any example to restrict access to specific Distributions. They always refer to:

"Resource":"*"

Ideas on how to give a particular user access to a concrete Cloudfront Distribution?

like image 872
alexandresaiz Avatar asked Apr 10 '15 10:04

alexandresaiz

People also ask

Can CloudFront be private?

To use private content with Amazon CloudFront, you'll need an Amazon CloudFront distribution with private content enabled and a list of authorized accounts you trust to access your private content. From the Create Distribution Wizard in the Amazon CloudFront console, start creating a web distribution.

Can CloudFront deny access?

The following are some ways you can use CloudFront to secure and restrict access to content: Configure HTTPS connections. Prevent users in specific geographic locations from accessing content. Require users to access content using CloudFront signed URLs or signed cookies.

1 Answers

Resource-level AWS Identity and Access Management (IAM) permissions are unfortunately not yet supported by all AWS services, and Amazon CloudFront indeed doesn't as per the overview table in AWS Services That Support IAM, which is also explicitly confirmed within CloudFront Resources:

You use an asterisk (*) as the resource when writing a policy to control access to CloudFront actions. This is because you can't use IAM to control access to specific CloudFront resources. For example, you can't give users access to a specific distribution. Permissions granted using IAM include all the resources you use with CloudFront. Because you cannot specify the resources to control access to, there are no CloudFront resource ARNs (Amazon Resource Names) for you to use in an IAM policy. [...] [emphasis mine]

like image 167
Steffen Opel Avatar answered Sep 24 '22 09:09

Steffen Opel
Sign in to Comment

Related questions

Verify hostname of the server who invoked the API
Using AWS API: Given IAM User, Get Current Effective IAM Policy Document
How to use Cognito identity pool with UnAuthenticatd users in Amplify for Android
aws glue `ImportError: cannot import name 'S3ArnParamHandler'`
How do I specify another AWS account's Event Bus as a target of an EventBridge rule using CloudFormation or CDK?
how to deploy in different environment (dev, uat ,prod) using cdk pipeline?
what is the equivalent component of AWS Cognito in GCP for features like userpools, triggers and appclients?
StartQueryExecution operation: Unable to verify/create output bucket
Issue with EventBridge rule for aws.events
For an Amazon S3 bucket deplolyent from Guithub how do I fix the error AccessControlListNotSupported: The bucket does not allow ACLs?
Is it possible to have more than 5 read replicas in Amazon RDS?
Setting foobar.com and www.foobar.com to point to my Amazon S3–hosted site
AWS ECS Fargate Container Healthcheck command
Adding type-hinting to functions that return boto3 objects?
Fetching All Items with DynamoDBMapper
AWS S3 upload fails: RequestTimeTooSkewed
Create AWS Athena view programmatically
Using psycopg2 with Lambda to Update Redshift (Python)
AuthError - Error: Amplify has not been configured correctly
How to update metadata of an existing object in AWS S3 using python boto3?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!