By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFront Origin Path

1

I do have a S3 bucket with 2 directories on top level:

  • public
  • private

and I want do use CloudFront to serve only a the files of the "public" directory so I've setup the "Origin Path" of my distribution to that folder. It works like expected but I'm wondering if the "private" directory is also distributed (but not reachable due to that specific origin path of the CF distribution)?

I really don't want the private folder to get distributed or be public reachable in any way.

So the question is: does only the stuff under "origin path" gets distributed or the whole S3 bucket?

Best regards Daniel

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon CloudFront
Language
English
Daniel
asked 2 years ago1463 views
1 Answer
2
Accepted Answer

Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :

"Resource": "arn:aws:s3:::mybucket/public/*"

You could also add an explicit deny statement:

{
    "Effect": "Deny",
    "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
    },
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::mybucket/private/*"
}
profile pictureAWS
EXPERT
kentrad
answered 2 years ago
  • Daniel
    2 years ago

    Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.

    Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.

  • MG
    2 years ago

    With this bucket policy, CloudFront has no access to the private directory.

  • kentrad EXPERT
    2 years ago

    Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content