Reputation: 2756
Restrict access to a particular CloudFront distribution using IAM
I'm trying to give access to a specific IAM user to a particular CloudFront distribution. I've tried with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1428659042000",
"Effect": "Allow",
"Action":["cloudfront:*"],
"Resource": [ "arn:aws:cloudfront:E3J2B3GMZI73G0" ]
}
]
}
AWS-IAM Policy checker says the ARN is invalid. As per the documentation on IAM restrictions on CloudFront, AWS doesn't point any example to restrict access to specific distributions. They always refer to:
"Resource":"*"
Ideas on how to give a particular user access to a concrete CloudFront distribution?
Upvotes: 28
Views: 10273
Answers (2)
Reputation: 5114
Preface: This question seems to have been asked in 2015 and as I'm writing this answer it's now 2023 so quite a few years have passed, which is why I decided not to take the answer given here for granted but test for myself whether this works or not...
I'm happy to report that creating an IAM account whose access is restricted to a single CloudFront distribution is possible nowadays!
Here is the custom permission policy I just wrote and successfully tested:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudfront:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudfront:Get*"
],
"Resource": "arn:aws:cloudfront::274094101538:distribution/EW8C6OEXKT4EI"
}
]
}
This policy allowed me to login to the AWS web console, navigate to the CloudFront service, get a listing of available distributions, and navigate to a page with the details of one distribution (EW8C6OEXKT4EI in this case).
Upvotes: 3
Reputation: 64701
Resource-level AWS Identity and Access Management (IAM) permissions are unfortunately not yet supported by all AWS services, and Amazon CloudFront indeed doesn't as per the overview table in AWS Services That Support IAM, which is also explicitly confirmed within CloudFront Resources:
You use an asterisk (*) as the resource when writing a policy to control access to CloudFront actions. This is because you can't use IAM to control access to specific CloudFront resources. For example, you can't give users access to a specific distribution. Permissions granted using IAM include all the resources you use with CloudFront. Because you cannot specify the resources to control access to, there are no CloudFront resource ARNs (Amazon Resource Names) for you to use in an IAM policy. [...] [emphasis mine]
Upvotes: 32
Related Questions
- Restrict Lambda function URL access to CloudFront
- How to restrict Cloudfront access to my domain only?
- Allow only CloudFront to read from origin servers?
- How to allow only cloudfront to access my api (elb)load balancer hosted on ec2 in AWS?
- How to restrict access to origin for CloudFront only?
- How to limit AWS API Gateway access to specific CloudFront distribution or Route53 subdomain
- AWS Restrict access from cloudfront to load balancer
- Restrict access to AWS Cloudfront hosted content
- Cloudfront Settings to Allow Requests only from certain MAC Address
- How to allow CloudFront to access certain S3?