使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

CloudFront Origin Path

1

I do have a S3 bucket with 2 directories on top level:

  • public
  • private

and I want do use CloudFront to serve only a the files of the "public" directory so I've setup the "Origin Path" of my distribution to that folder. It works like expected but I'm wondering if the "private" directory is also distributed (but not reachable due to that specific origin path of the CF distribution)?

I really don't want the private folder to get distributed or be public reachable in any way.

So the question is: does only the stuff under "origin path" gets distributed or the whole S3 bucket?

Best regards Daniel

主題
儲存空間網路與內容交付
標籤
Amazon Simple Storage ServiceAmazon CloudFront
語言
English
Daniel
已提問 2 年前檢視次數 1487 次
1 個回答
2
已接受的答案

Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :

"Resource": "arn:aws:s3:::mybucket/public/*"

You could also add an explicit deny statement:

{
    "Effect": "Deny",
    "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
    },
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::mybucket/private/*"
}
profile pictureAWS
專家
kentrad
已回答 2 年前
  • Daniel
    2 年前

    Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.

    Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.

  • MG
    2 年前

    With this bucket policy, CloudFront has no access to the private directory.

  • kentrad 專家
    2 年前

    Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容