1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
2
Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :
"Resource": "arn:aws:s3:::mybucket/public/*"
You could also add an explicit deny statement:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket/private/*"
}
Contenus pertinents
- demandé il y a 6 mois
- demandé il y a 3 mois
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.
Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.
With this bucket policy, CloudFront has no access to the private directory.
Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.