S3 Bucket Still Public Despite CloudFront Origin Identity Access Policy

2
votes

I have followed the documentation on setting up a CloudFront (CF) web distribution to serve private content from my s3 bucket, but despite adjusting the settings in my distribution to do so, my s3 bucket files are still accessible via s3.amazonaws.com/bucket-name/file-name.ext. I was curious why this is still occurring because when I created a CF Origin Access Identity, I selected Yes, Update Bucket Policy, which I thought would take care of closing off the read access via my s3 bucket url, but it hasn't. Did I miss an adjustment that should be make? I assumed that settings I make on CF should adjust my s3 bucket and make it not accessible via GET requests.

Here is my s3 Bucket Policy:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity *My-Key-ID*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

However, I noticed permissions on the individual files, but wasn't sure what they were related to.

enter image description here

Here are my CF settings:

Distribution:

enter image description here

Origin: (On initial identity creation I picked "Yes, Update Bucket Policy")

enter image description here

Behavior (Top Half):

enter image description here

Behavior (Bottom Half):

enter image description here

1
amazon-web-servicesamazon-s3amazon-cloudfront

1 Answers

3
votes

The bucket policy and object ACLs work together.

Anything allowed by either policy or object ACL is still allowed... except when explicitly denied by the bucket policy.

Your policy allows downloads through CloudFront.

Your object ACLs allow "Everyone" to "open/download" them, thus, anonymous direct access to objects in the bucket will still be allowed.

The most correct solution is to modify the object ACLs to remove the ability for "Everyone" to "open/download," which is clearly not correct if you do not want the objects to be accessible from S3 by anonymous users. In the console, click the × on that "Everyone" entry for an object, and click Save. You should find that this solves the problem.

Future objects should not be uploaded as publicly-readable.

This could also be accomplished using a custom bucket policy to override the object ACLs, but this is an advanced configuration that will break your ability to manipulate objects in the console if done incorrectly and will unnecessarily complicate things.