Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

AWS S3 Bucket policy Cloudfront + IAM user access

0

Cloudfront automatically added these bucket policy rules, but now my IAM user + production IAM role can't access the bucket to perform head object operation. How do I modify this to allow for object access for my server?

I also already tried using principle. It didn't work. The IAM user has full access to S3

{
	"Version": "2008-10-17",
	"Id": "PolicyForCloudFrontPrivateContent",
	"Statement": [
		{
			"Sid": "Server access",
			"Effect": "Allow",
			"Principal": "*",
			"Action": [
				"s3:GetObject",
				"s3:ListBucket",
				"s3:DeleteObject"
			],
			"Resource": [
				"arn:aws:s3:::bucket-name",
				"arn:aws:s3:::bucket-name/*"
			],
			"Condition": {
				"StringEquals": {
					"AWS:SourceArn": "arn:aws:iam::1234567890:user/dev"
				}
			}
		},
		{
			"Sid": "AllowCloudFrontServicePrincipal",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudfront.amazonaws.com"
			},
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::bucket-name/*",
			"Condition": {
				"StringEquals": {
					"AWS:SourceArn": "arn:aws:cloudfront::1234567890:distribution/asdf"
				}
			}
		}
	]
}

enter image description here

Tópicos
ArmazenamentoRede e entrega de conteúdoSegurança, identidade e conformidade
Tags
Serviço de armazenamento simples da AmazonAmazon CloudFrontPolíticas do IAM
Idioma
English
ACW
feita há um ano321 visualizações
1 Resposta
0

Hello, Please use the sample policy below. Using the AROAEXAMPLEID that you just retrieved via the AWS CLI

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:userId": "AIDAEXAMPLEID"
                }
            }
        },
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::1234567890:distribution/asdf"
                }
            }
        }
    ]
}

=====================================

Run the command: aws iam get-user -–user-name USER-NAME In the output, look for the userId string, which will begin with AIDAEXAMPLEID.

If you are still facing issues, we need to check on Encryption, IAM user permissions and other factors mentioned in the article.

https://repost.aws/knowledge-center/s3-troubleshoot-403

AWS
ENGENHEIRO DE SUPORTE
Ajinkya B-AWS
respondido há um ano

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante