Make S3 static website accessible to Cloudfront Only Permissions

Question

**I'm hosting a static website in an S3 bucket.** I am attempting to limit access permissions to cloudfront only. My current configuration:

```
{
	"Version": "2008-10-17",
	"Id": "PolicyForCloudFrontPrivateContent",
	"Statement": [
		{
			"Sid": "AllowCloudFrontServicePrincipal",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudfront.amazonaws.com"
			},
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::MYBUCKET/*",
			"Condition": {
				"StringEquals": {
					"AWS:SourceArn": "DISTRIBUTION_ARN/"
				}
			}
		}
	]
}
```

But this does not allow cloudfront access and returns a 403 Forbidden error. How can I fix this?

Accepted Answer

You haven't mentioned whether you're trying to use Origin Access Control (OAC), or Origin Access Identity (OAI - legacy).

However, the policy that you've provided looks *almost* correct for OAC, except for the Condition key which should look like this (no trailing slash):

```
AWS:SourceArn": "arn:aws:cloudfront:::distribution/"
```

Please take a look at the [documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) for more information, particularly the section on SSE-KMS, if you're using that on your bucket

Note also that in the Cloudfront Origin settings, there's an option to copy a pre-populated policy statement that you can insert into your S3 bucket policy.

Make S3 static website accessible to Cloudfront Only Permissions

Contenuto pertinente