So when you add origin in Cloudfront you get an option to "Restrict bucket access" just click "Yes" and move ahead, the rest of the configuration will be done by Cloudfront automatically.
S3 policy would be
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"
}
]
}
Want to learn more about AWS? Come & join: AWS Certification