- 最新
- 投票最多
- 评论最多
You need to setup origin access control (OAC). This will allow the S3 bucket to be accessed by your CloudFront distribution.
Please follow this guide.
Hi,
What you want to achieve is fully detailled at https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
I also recommend this very detailled article on the matter: https://aps08.medium.com/unleashing-the-power-of-cloudfront-mastering-pre-signed-urls-for-secure-content-delivery-9f2c52d51aa6
Best,
Didier
When using Amazon S3 origins with CloudFront, you can use CloudFront Origin Access Control (OAC) to secure Amazon S3 bucket access. When setting up OAC, CloudFront will provide an IAM policy that can be used in your Amazon S3 bucket policy. The bucket policy creates a service principal that allows your CloudFront distribution to authenticate with Amazon S3. By allowing the CloudFront service principal, an s3:GetObject action in the bucket policy, Amazon S3 allows CloudFront distribution to access to the content [1].
[+] Restricting access to an Amazon Simple Storage Service origin - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
Once the S3 permissions are given to the CloudFront serivce principal in your Amazon S3 bucket policy, to access your S3 objects through CloudFront, combine the domain name for your CloudFront distribution with the S3 object key name [2]. For example, your distribution domain name might look like this "d111111abcdef8.cloudfront.net" and the path to the S3 object could be "/examplefolder/dummy_file.txt"
Therefore, the URL to access your content through CloudFront might look like this: https://d111111abcdef8.cloudfront.net/examplefolder/dummy_file.txt. For more information on serving HTTPS requests for your S3 bucket, refer to AWS guide [3]. In this way, you are not required to create S3 presigned URLs for each object individually and the objects are also private in nature (i.e. objects cannot be access direcly using Object URL publicly without authentication).
I am adding an AWS guide here for your reference on restricting access to an Amazon S3 bucket using CloudFront distribution:
https://repost.aws/knowledge-center/cloudfront-access-to-amazon-s3
==== References ==== [1]: https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/s3-origin-with-cloudfront.html [2]:https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStartedAccessingDistributions.html [3]: https://repost.aws/knowledge-center/cloudfront-https-requests-s3
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前