CloudFront Origin Path

I do have a S3 bucket with 2 directories on top level:

public
private

and I want do use CloudFront to serve only a the files of the "public" directory so I've setup the "Origin Path" of my distribution to that folder. It works like expected but I'm wondering if the "private" directory is also distributed (but not reachable due to that specific origin path of the CF distribution)?

I really don't want the private folder to get distributed or be public reachable in any way.

So the question is: does only the stuff under "origin path" gets distributed or the whole S3 bucket?

Best regards Daniel

주제

스토리지 네트워킹 및 콘텐츠 전송

태그

아마존 심플 스토리지 서비스 아마존 CloudFront

언어

English

Daniel

질문됨 2년 전1487회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

수락된 답변

Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :

"Resource": "arn:aws:s3:::mybucket/public/*"

You could also add an explicit deny statement:

{
    "Effect": "Deny",
    "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
    },
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::mybucket/private/*"
}

전문가

kentrad

답변함 2년 전

Daniel
2년 전
Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.

Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.
MG
2년 전
With this bucket policy, CloudFront has no access to the private directory.
kentrad 전문가
2년 전
Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.

CloudFront Origin Path

관련 콘텐츠