Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS S3 Bucket policy Cloudfront + IAM user access

0

Cloudfront automatically added these bucket policy rules, but now my IAM user + production IAM role can't access the bucket to perform head object operation. How do I modify this to allow for object access for my server?

I also already tried using principle. It didn't work. The IAM user has full access to S3

{
	"Version": "2008-10-17",
	"Id": "PolicyForCloudFrontPrivateContent",
	"Statement": [
		{
			"Sid": "Server access",
			"Effect": "Allow",
			"Principal": "*",
			"Action": [
				"s3:GetObject",
				"s3:ListBucket",
				"s3:DeleteObject"
			],
			"Resource": [
				"arn:aws:s3:::bucket-name",
				"arn:aws:s3:::bucket-name/*"
			],
			"Condition": {
				"StringEquals": {
					"AWS:SourceArn": "arn:aws:iam::1234567890:user/dev"
				}
			}
		},
		{
			"Sid": "AllowCloudFrontServicePrincipal",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudfront.amazonaws.com"
			},
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::bucket-name/*",
			"Condition": {
				"StringEquals": {
					"AWS:SourceArn": "arn:aws:cloudfront::1234567890:distribution/asdf"
				}
			}
		}
	]
}

enter image description here

Themen
SpeicherVernetzung & Bereitstellung von InhaltenSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAmazon CloudFrontIAM-Richtlinien
Sprache
English
ACW
gefragt vor einem Jahr321 Aufrufe
1 Antwort
0

Hello, Please use the sample policy below. Using the AROAEXAMPLEID that you just retrieved via the AWS CLI

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:userId": "AIDAEXAMPLEID"
                }
            }
        },
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::1234567890:distribution/asdf"
                }
            }
        }
    ]
}

=====================================

Run the command: aws iam get-user -–user-name USER-NAME In the output, look for the userId string, which will begin with AIDAEXAMPLEID.

If you are still facing issues, we need to check on Encryption, IAM user permissions and other factors mentioned in the article.

https://repost.aws/knowledge-center/s3-troubleshoot-403

AWS
SUPPORT-TECHNIKER
Ajinkya B-AWS
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt