Apparently, the issue was from how i was naming the object in the bucket. I added a timestamp in ISO8601 format to each objects' name when creating the s3 presignedUrl for the PUT request. So when cloudfront tries to access it, it changes the some of those weird characters in the date string, and as a result, s3 denies access. Because the object cloudfront is trying to access doesn't exist. Thanks for the help
I'm not sure, but you need asterisk after bucket name in Resource section as bellow.
"Resource": "arn:aws:s3:::S3 bucket/*"
It does not matter who puts the object in the bucket. What matter is who has GET access to the object. If I understand your question, you want to be able to restrict access to your S3 bucket so that objects can be accessed only through your Amazon CloudFront distribution. If that's your intention, here is how to achieve that: https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/
The bucket policy snippet you provided allows ANYONE with the cloudfront distribution to READ specific objects from the specified bucket.
The part of the bucket policy restricting s3 actions to a non root IAM user only applies from the console, CLI or API calls made to S3 service. You probably want to update it to something like
"Action": [ "s3:Get*", "s3:List*", "s3:Put*" ],
Note: There is no link between CloudFront access (using OAI) and the IAM user.
You mentioned using a presigned URL to restrict who can access the file - here are a couple of other things to look out for:
- ensure that you create the presigned URL using your non root IAM user - that is the context in which it is created and it 'inherits' the security policy of that user
- when creating a distribution and selecting the S3 origin with a bucket - select “Forward all query params, cache based on all” on the Query String Forwarding and Caching part, as S3 signed URLs utilize query parameters for the signature
- you may need to update the CloudFront distribution so that the origin S3 url contains the correct region, for example if you simply select a bucket it will be something like
cf-signed-url.s3.amazonaws.comhowever the S3 signed URL is actually something like
cf-signed-url.s3-eu-west-2.amazonaws.com, so manually update the origin as required
Access the S3 folder specific to particular user authenticated using CognitoAccepted Answerasked 5 months ago
S3 Bucket Securityasked a year ago
Deny EFS actions to all but specific userAccepted Answerasked a year ago
S3 bucket policy to allow access through VPC endpoint and an IAM user onlyasked 4 months ago
AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 errorasked 10 months ago
Principals in AWS S3 resource based policy - misleading docs.asked 6 months ago
IAM user access to S3: uploads failAccepted Answerasked 3 years ago
Access S3 object via cloudfront as a specific IAM userAccepted Answer
Access denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfrontAccepted Answer
S3 access policy Limit PUT functionasked 8 months ago