- Newest
- Most votes
- Most comments
Turns out there was no problem at all, the issue was with my bucket name being misformed!
Hi Gary, I promise you that the following does appear to work, but only if i add the origin through the console, not when using cloudformation. The problem is using cloudformation to do the same. Also, I cannot add the distribution ID at this point to the bucket policy as it is unknown, and this bucket is not part of this stack.
{
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MyBucketName/*",
"Condition": {
"StringEquals": {
"aws:ResourceOrgID": "myOrgId"
}
}
},
It's really stumped me
Thanks for the update..
Intresting as I have read it in a couple of places.. Heres one https://repost.aws/questions/QUeEr7GSgESI-rPCQ_-aGqKA/how-can-i-restrict-s-3-bucket-access-to-allow-only-vpc-flow-logs-from-within-an-organization
I am trying to find anything offical on AWS Website. If you edit your bucket policy in the GUI it reports it as a security warning.. The GUI could be out of date....
I am going to test more
I wonder if AWS updated this based on the post was some time ago...
Please see my latest answer.. Ta
Hey James,
So I stand true with my statement still. Your policy "Condition" isnt allowing allowing access from your ORG, its allowing access from CloudFront to your Bucket In your Org. The Condition ResourceOrgID is the resource being accessed not the source account/service.
aws:ResourceOrgID = AWS organization ID of the resource being accessed
This means anycloud Distribution can access your bucket. PrincipalOrgID would be the condition you would need to only allow access from a Role/Account in your Org but that as I said isnt supported.
The table here explains what your condition is https://aws.amazon.com/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/
Your policy is only backing up your defined resource being that the bucket is in your org which is going to be because thats the where the bucket lives. So that condition doesnt actually do anything.
Anyway that wasnt the issue you had but one to review if security is a concern..
We use terraform where that issue you have with cat and mouse isnt a problem..
Gary
Hi Gary, You're absolutely right actually, thanks for taking the time to look into it! I thought I'd tested it, but I just set up a cloudfront distribution in an account outside the organisation and it worked, so all I was actually testing for was a signed request from any cloudfront as you said! To resolve this, without having to add each distributionId indiviudally to the bucket policy, I've tested the following bucket policy which does seem to work (requires the Referer header to be set as a custom header in the origin)
{ "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::MyBucketName/*", "Condition": { "StringEquals": { "aws:Referer": "someSecretString" } } },
It's not absolutely essential that nobody can access the bucket directly as it's a public website, and I think that restricting it to only cloudfront distributions that "know" the secret header should be sufficent?
The problem I was orignally having has disappeared (turns out the problem was me).
Hey James,
That policy i think without specifying the ARN is the best your going to get. Good idea using a referer! Unless someone knows both the bucket name and header your good to go buddy..
Thanks for the update.. Its good to know
Gary
Hey there,
You can NOT reference an ResourceOrgID on Principals originating from AWS Services. The AWS Services i.e. Cloudfront does NOT reside in your ORG. You will need to reference the CloudFront ARN of the account its setup in than the ORG
Correct your bucket policy which should fix the issue as an example. Update the Bucket name and sourceARN :-
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowCloudFrontServicePrincipalReadOnly",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE"
}
}
}
}
If you are using KMS encryption you may need to also adjust your KMS policy also.
If this answers your question, please accept this so it helps others and me.
I think I ran into a similar problem once and it was caused by not using the region as part of the DomainName when referencing an S3 bucket.
Relevant content
- asked a year ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
In the CloudFormation template, what is the value for Distribution.Properties.DistributionConfig.Origins.DomainName?