CloudFront Origin Path


I do have a S3 bucket with 2 directories on top level:

  • public
  • private

and I want do use CloudFront to serve only a the files of the "public" directory so I've setup the "Origin Path" of my distribution to that folder. It works like expected but I'm wondering if the "private" directory is also distributed (but not reachable due to that specific origin path of the CF distribution)?

I really don't want the private folder to get distributed or be public reachable in any way.

So the question is: does only the stuff under "origin path" gets distributed or the whole S3 bucket?

Best regards Daniel

asked 2 years ago1523 views
1 Answer
Accepted Answer

Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :

"Resource": "arn:aws:s3:::mybucket/public/*"

You could also add an explicit deny statement:

    "Effect": "Deny",
    "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::mybucket/private/*"
profile pictureAWS
answered 2 years ago
  • Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.

    Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.

  • With this bucket policy, CloudFront has no access to the private directory.

  • Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions