Using Cloudfront to restrict access to S3 bucket

0
votes

I am trying to use CloudFront to deliver static assets from an S3 bucket. As I originally found it, the bucket was public and had the following public access settings:

enter image description here

Here was the bucket policy as I originally encountered it:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "AddPerm",
           "Effect": "Allow",
           "Principal": "*",
           "Action": "s3:GetObject",
           "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
       },
       {
           "Sid": "2",
           "Effect": "Allow",
           "Principal": {
               "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3KB5KQ622F9F3"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
    }]
}

Now here's what I did:

  1. Created a new CloudFront distribution with the appropriate origin domain name and restricted bucket access via creating a new Origin Access Identity.
  2. Updated the S3 bucket policy per their doc examples to restrict access to the canonical user ID. This is what the updated policy looks like:

enter image description here

  1. Set all of the public access settings to true for the S3 bucket to make it private.

I'm getting access denied whenever I try to access the static resources through the created CDN. In referring to the AWS documentation for restricting S3 bucket access via CloudFront, I'm especially confused about what they want developers to do with the following instructions:

"To specify an origin access identity, use the value of Amazon S3 Canonical User ID 
on the Origin Access Identity page in the CloudFront console."
1
amazon-web-servicesamazon-s3amazon-cloudfront
Was the error message possibly cached by Cloudfront?Richard Nienaber

1 Answers

0
votes

In answer to the question of finding the Amazon S3 Canonical User ID for the Origin Access Identity, you can use the console to browse to CloudFront -> Security -> Origin Access Identity. Alternatively you can use the CLI to list

$ aws cloudfront list-cloud-front-origin-access-identities
{
    "CloudFrontOriginAccessIdentityList": {
        "Items": [
            {
                "Comment": "access-identity-..... ", 
                "S3CanonicalUserId": "e9eeea57c92144d.....", 
                "Id": "XXXXXXXXXXXXX"
            }
        ]
    }
}

You can then use the S3CanonicalUserId value in the policy as you have it in the question.

Interesting, if you allow CloudFront to update the policy for you, you end up with something slightly different, which you can also use if you update the Origin Access Identity ID.

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

Everything else in the question looks right, so that completes the setup. If you are getting AccessDenied errors, the next step I would recommend is creating an Invalidation (enter link description here) to remove objects from the CloudFront cache(s).