CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-cloudfrontbucket
Ahmed
Ahmed

Reputation: 1359

How to make a public bucket only accessible from cloudfront without OAI?

I have a bucket that contains some images. The bucket is publicly accessible using the following policy.

{
"Version": "2008-10-17",
"Id": "s3BucketPolicy",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::Bucketname/*"
    }
]

}

Also I have a cloudfront distribution that points to the same bucket. My problem now is that my file is accessible from both cloudfront link and bucket link.

CloudfrontLink: www.xxxxxx.xxxx/xxxx BucketLink: www.bucketname/xxx

My question how can i make my bucket publicly accessible using cloudfront only. I don't want signed urls or cookies. I want any my anyone with cloudfrontlink to be able to access the image and prevent anyone with bucketlink from accessing the image.

Upvotes: 0

Views: 277

Answers (1)

jarmod
jarmod

Reputation: 78573

Change the S3 bucket policy principal to the OAI of the CloudFront Distribution. For example:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDABCDABCDAB"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        }
    ]
}

This will prevent access to the bucket contents outside of CloudFront. You don't need signed URLS here. See the documentation for more details.

Upvotes: 1

Related Questions