For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
Cross account delegation for cloudfront
Hi, I'm just curious that whether it's possible to allow cross account access for cloudfront. Let's assume that we have a domain name, cloudwatch.com in account A, I want to point this domain to the cloudfront (account B). (Note: I have multiple subdomains in the route53, and I don't want subdomains to point account B).
Best Regards,
- Language
- English
- Newest
- Most votes
- Most comments
Yes your Route 53 hosted zone and the CloudFront distribution it references can be in different accounts. You could of course simply do it with a CNAME but, even better, as described in https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-alias-common.html you can use an Alias record. You won't see the distribution in a console drop-down to select it as the Alias target, but you can still manually enter in the target.
Hi,
You can have cross-account origin setup with CloudFront: see https://dlim716.medium.com/aws-cloudfront-cross-account-s3-origin-setup-99dcaa51e39d
Best,
Didier
Hi cy choi
The issue is that by default, CloudFront distributions can't directly access resources in different accounts. You'll need to configure IAM roles or bucket policies to grant CloudFront access to the S3 bucket.
In addition, you want to maintain subdomains within Route 53 (account A) pointing elsewhere, which adds some complexity to the setup.
Verify IAM Permissions:
Bucket Policy (Account A): Ensure the S3 bucket policy in account A grants access to CloudFront in account B. You'll need to include the CloudFront origin identity as a principal in the policy document.
IAM Role (Account B): If using an IAM role with CloudFront, verify the trust policy in account B allows CloudFront to assume the role.
Check CloudFront Origin Settings:
Origin Access Identity (OAI): Ensure the CloudFront distribution in account B has a properly configured OAI. This grants access to the S3 bucket based on the IAM permissions in account A.
Review Route 53 Configuration:
Subdomain Routing: Double-check that Route 53 in account A has separate A records or Alias records pointing your desired subdomains to their respective destinations, while the main domain (cloudwatch.com) points to the CloudFront distribution. Additional Resources:
Troubleshooting CloudFront Identity and Access: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/security_iam_troubleshoot.html
Troubleshooting Distribution Issues:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Troubleshooting.html
Relevant content
- asked 10 months ago
- asked 3 years ago
- AWS OFFICIALUpdated 3 months ago
