Creating an S3 bucket policy that allows access to Cloudfront but restricts access to anyone else

Question

Here is my policy

{

        "Version": "2008-10-17",

        "Id": "PolicyForCloudFrontPrivateContent",

        "Statement": [

            {

                "Sid": "Stmt1395852960432",

                "Action": "s3:*",

                "Effect": "Deny",

                "Resource": "arn:aws:s3:::my-bucket/*",

                "Principal": {

                    "AWS": [

                        "*"

                    ]

                }

            },

            {

                "Sid": "1",

                "Effect": "Allow",

                "Principal": {

                    "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN"

                },

                "Action": "s3:GetObject",

                "Resource": "arn:aws:s3:::my-bucket/*"

            }

        ]

    }

but, this denies requests from all the requestors, even Cloudfront. What could be the correct way to do this?

Answer 1

So when you add origin in Cloudfront you get an option to "Restrict bucket access" just click "Yes" and move ahead, the rest of the configuration will be done by Cloudfront automatically.

S3 policy would be 

{

"Version": "2008-10-17",

"Id": "PolicyForCloudFrontPrivateContent",

"Statement": [

    {

        "Sid": "1",

        "Effect": "Allow",

        "Principal": {

            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"

        },

        "Action": "s3:GetObject",

        "Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"

    }

 ]

} 

Want to learn more about AWS? Come & join: AWS Certification