I have set up the following information:
- Created an AWS S3 bucket and Uploaded some images into the particular folder
- Created an AWS CloudFront web distribution:
- Origin Domain Name: Selected S3 bucket from the list
- Restrict Bucket Access: Yes
- Origin Access Identity: Selected existed Identity
- Grant Read Permissions on Bucket: Yes, Update Bucket Policy
AccessDenied
Access denied
I have got the signed URL from the above process like
image.png?policy=xxxxx@signature=xxx@Key-Pair-Id=XXXXXXX
but I couldn't access the URL
Sample JSON for cloud front policy
{
"Statement": [{
"Resource": "XXXXXXXXXX.cloudfront.net/standard/f7cecd92-5314-4263-9147-7cca3041e69d.png",
"Condition": {
"DateLessThan": {
"AWS:EpochTime": 1555021200
},
"IpAddress": {
"AWS:SourceIp": "0.0.0.0/0"
},
"DateGreaterThan": {
"AWS:EpochTime": 1554848400
}
}
}]
}
Added CloudFront bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket_name/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket_name"
}
]
}
listBucket
on the bucket arn e.g.arn:aws:s3:::bucket_name
. If you only have getObject permission for a bucket and try to fetch and object that doesn't exist you will get a 403, but you will get a 404 if you have listBucket permissions. – cementblocks