1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
2
Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :
"Resource": "arn:aws:s3:::mybucket/public/*"
You could also add an explicit deny statement:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket/private/*"
}
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 3 Jahren
Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.
Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.
With this bucket policy, CloudFront has no access to the private directory.
Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.