By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Make S3 static website accessible to Cloudfront Only Permissions

0

I'm hosting a static website in an S3 bucket. I am attempting to limit access permissions to cloudfront only. My current configuration:

{
	"Version": "2008-10-17",
	"Id": "PolicyForCloudFrontPrivateContent",
	"Statement": [
		{
			"Sid": "AllowCloudFrontServicePrincipal",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudfront.amazonaws.com"
			},
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::MYBUCKET/*",
			"Condition": {
				"StringEquals": {
					"AWS:SourceArn": "DISTRIBUTION_ARN/"
				}
			}
		}
	]
}

But this does not allow cloudfront access and returns a 403 Forbidden error. How can I fix this?

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon CloudFront
Language
English
rePost-User-1591848
asked a year ago336 views
1 Answer
0
Accepted Answer

You haven't mentioned whether you're trying to use Origin Access Control (OAC), or Origin Access Identity (OAI - legacy).

However, the policy that you've provided looks almost correct for OAC, except for the Condition key which should look like this (no trailing slash):

AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"

Please take a look at the documentation for more information, particularly the section on SSE-KMS, if you're using that on your bucket

Note also that in the Cloudfront Origin settings, there's an option to copy a pre-populated policy statement that you can insert into your S3 bucket policy.

AWS
EXPERT
Paul_L
answered a year ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content