Creating an S3 bucket policy that allows access to Cloudfront but restricts access to anyone else

Question

asked Nov 30, 2020 in AWS by devin (5.6k points)

Here is my policy

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "Stmt1395852960432",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}

but, this denies requests from all the requestors, even Cloudfront. What could be the correct way to do this?

1 Answer

kritika · Answer 1 · 2020-11-30T12:22:10+0000

So when you add origin in Cloudfront you get an option to "Restrict bucket access" just click "Yes" and move ahead, the rest of the configuration will be done by Cloudfront automatically.

S3 policy would be

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"
}
]
}

Want to learn more about AWS? Come & join: AWS Certification

Creating an S3 bucket policy that allows access to Cloudfront but restricts access to anyone else

Creating an S3 bucket policy that allows access to Cloudfront but restricts access to anyone else

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Related questions

Want to get 50% Hike on your Salary?

Browse Categories

Popular Courses

Top Tutorials

Top Articles

Top Interview Questions