- Newest
- Most votes
- Most comments
Apparently, the issue was from how i was naming the object in the bucket. I added a timestamp in ISO8601 format to each objects' name when creating the s3 presignedUrl for the PUT request. So when cloudfront tries to access it, it changes the some of those weird characters in the date string, and as a result, s3 denies access. Because the object cloudfront is trying to access doesn't exist. Thanks for the help
I'm not sure, but you need asterisk after bucket name in Resource section as bellow.
"Resource": "arn:aws:s3:::S3 bucket/*"
i did that. It got removed when posting the comment
It does not matter who puts the object in the bucket. What matter is who has GET access to the object. If I understand your question, you want to be able to restrict access to your S3 bucket so that objects can be accessed only through your Amazon CloudFront distribution. If that's your intention, here is how to achieve that: https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/
I already did that. But i am unable to access the object PUT by that user. The only way i can get access to an object in the bucket using cloudfront, is id i upload that object directly from the s3 console. Once i try to do that outside the console (programmatically) i am denied access. Here's a snippet of my bucket policy in case i am doing anything wrong: { "Version": "2012-10-17", "Id": "Policy1638646826561", "Statement": [ { "Sid": "Stmt1638646778880", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:: non root IAM user" }, "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::S3 bucket/" }, { "Sid": "Stmt1638646824013", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity someOAI" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::S3 bucket/" } ] }
The bucket policy snippet you provided allows ANYONE with the cloudfront distribution to READ specific objects from the specified bucket.
The part of the bucket policy restricting s3 actions to a non root IAM user only applies from the console, CLI or API calls made to S3 service. You probably want to update it to something like
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*"
],
Note: There is no link between CloudFront access (using OAI) and the IAM user.
You mentioned using a presigned URL to restrict who can access the file - here are a couple of other things to look out for:
- ensure that you create the presigned URL using your non root IAM user - that is the context in which it is created and it 'inherits' the security policy of that user
- when creating a distribution and selecting the S3 origin with a bucket - select “Forward all query params, cache based on all” on the Query String Forwarding and Caching part, as S3 signed URLs utilize query parameters for the signature
- you may need to update the CloudFront distribution so that the origin S3 url contains the correct region, for example if you simply select a bucket it will be something like
cf-signed-url.s3.amazonaws.comhowever the S3 signed URL is actually something likecf-signed-url.s3-eu-west-2.amazonaws.com, so manually update the origin as required
Relevant content
- asked a year ago
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
The user that is doing the PUT is from the same AWS account of the S3 bucket? If you are doing a signed url GET to the S3 object and you are using cloudfront, what is the endpoint/fqdn that you are using to craft the signed url?