AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

CloudFront Origin Path

1

I do have a S3 bucket with 2 directories on top level:

  • public
  • private

and I want do use CloudFront to serve only a the files of the "public" directory so I've setup the "Origin Path" of my distribution to that folder. It works like expected but I'm wondering if the "private" directory is also distributed (but not reachable due to that specific origin path of the CF distribution)?

I really don't want the private folder to get distributed or be public reachable in any way.

So the question is: does only the stuff under "origin path" gets distributed or the whole S3 bucket?

Best regards Daniel

トピック
ストレージネットワークとコンテンツ配信
タグ
Amazon Simple Storage Service (S3)Amazon CloudFront
言語
English
Daniel
質問済み 2年前1487ビュー
1回答
2
承認された回答

Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :

"Resource": "arn:aws:s3:::mybucket/public/*"

You could also add an explicit deny statement:

{
    "Effect": "Deny",
    "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
    },
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::mybucket/private/*"
}
profile pictureAWS
エキスパート
kentrad
回答済み 2年前
  • Daniel
    2年前

    Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.

    Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.

  • MG
    2年前

    With this bucket policy, CloudFront has no access to the private directory.

  • kentrad エキスパート
    2年前

    Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ