Reputation: 20138
Allow CloudFront to access S3 origin while also having S3 bucket Block all public access?
I am trying to setup the S3 buckets I want my CloudFront distribution to access.
From my client I use AWS mobile SDK to upload to S3. When clients consume files from S3 I hit CloudFront and things worked until I made this change:
When I created the distribution, I had CloudFront update the bucket policy to have the OAI included in the principal:
So, then I thought I could run GET calls on CloudFront, because CloudFront has the OAI setup and S3 bucket reflects that.
However, I keep getting Access denied:
What else do I need to do to secure down the bucket and only allow CloudFront to read and allow my client app to be able to upload files to it using the SDK configured with the poolId I have setup for it?. Unless I leave the "Block all public access" unchecked, I get access denied via CloudFront.
Upvotes: 3
Views: 3084
Answers (1)
Reputation: 35146
Unfortunately according to the documentation the following is stated:
Amazon S3 Block Public Access must be disabled on the bucket.
This is because it will ignore the bucket policy due to the Block public and cross-account access to buckets and objects through any public bucket or access point policies value.
Unless your bucket policy also allows anonymous GetObject by default your objects will not be public.
Upvotes: 2
Related Questions
- Adding S3 Bucket Policy for any Cloudfront Origin Access Idenity
- Creating an S3 bucket policy that allows access to Cloudfront but restricts access to anyone else
- Allow only CloudFront to read from origin servers?
- Block public access on S3, accessible from Cloudfront?
- CloudFront - Editing Origin - Restrict Bucket Access
- Restrict Amazon S3 to CloudFront and http referrer
- How to restrict access to origin for CloudFront only?
- How to make a public bucket only accessible from cloudfront without OAI?
- AWS S3 and CloudFront Restrict Bucket Access
- How to allow CloudFront to access certain S3?