Note: Review your bucket policy for any statements with "Effect": "Deny" that prevent access to the bucket from the CloudFront OAI. "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*" "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX" In the Amazon S3 console,from your list of buckets, Choose the bucket that's the origin of the CloudFront distribution.For Bucket policy, select Yes, update the bucket policy.In the dialog box, name your new origin access identity, and choose Create.In the Origin access identity dropdown list, select the origin access identity name, or choose Create new OAI.For Origin Access, select Legacy access identities.Option 2: Create a legacy CloudFront origin access identity (OAI) Note: After you restrict access to your bucket using the CloudFront OAC, you have the option to add another layer of security by integrating AWS WAF. You must add the preceding statement to allow CloudFront OAC to read objects from your bucket. "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE" "Sid": "AllowCloudFrontServicePrincipalReadOnly", Under Bucket Policy, confirm that you see a statement similar to the following:.In the Amazon S3 console, from your list of buckets, choose the bucket that's the origin of the CloudFront distribution.Select Go to S3 bucket permissions to take you to the S3 bucket console.Select Copy policy, and then select Save. For S3 bucket Access, apply the bucket policy on the S3 bucket.It's a best practice to keep the default setting as Sign requests (recommended). In the dialogue box, name your control setting.For Origin access control, select an existing OAC, or choose the Create Control setting.For Origin Access, select Origin access control settings (recommended).Select the S3 origin, and then choose Edit.From the list of distributions, choose the distribution that serves content from the S3 bucket that you want to restrict access to.For more information, see How do I use CloudFront to serve a static website hosted on Amazon S3? Option 1 (Best practice): Create a CloudFront origin access control (OAC) This resolution doesn't apply to S3 origins that are configured as a website endpoint. Important: Before you begin, be sure that the Amazon S3 origin of your CloudFront distribution is configured as a REST API endpoint.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |