1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
2
Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :
"Resource": "arn:aws:s3:::mybucket/public/*"
You could also add an explicit deny statement:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket/private/*"
}
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.
Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.
With this bucket policy, CloudFront has no access to the private directory.
Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.