Allow CloudFront to access S3 origin while also having S3 bucket Block all public access?

2
votes

I am trying to setup the S3 buckets I want my CloudFront distribution to access.

From my client I use AWS mobile SDK to upload to S3. When clients consume files from S3 I hit CloudFront and things worked until I made this change:

enter image description here

When I created the distribution, I had CloudFront update the bucket policy to have the OAI included in the principal:

enter image description here

So, then I thought I could run GET calls on CloudFront, because CloudFront has the OAI setup and S3 bucket reflects that.

However, I keep getting Access denied:

enter image description here

What else do I need to do to secure down the bucket and only allow CloudFront to read and allow my client app to be able to upload files to it using the SDK configured with the poolId I have setup for it?. Unless I leave the "Block all public access" unchecked, I get access denied via CloudFront.

1
amazon-web-servicesamazon-s3amazon-cloudfront
Check default root object in the distribution settings. It's a fairly simple process to allow cloudfront to access S3 bucket objects. Make sure you are accessing object at the path where the objects exist.Asdfg

1 Answers

1
votes

Unfortunately according to the documentation the following is stated:

Amazon S3 Block Public Access must be disabled on the bucket.

This is because it will ignore the bucket policy due to the Block public and cross-account access to buckets and objects through any public bucket or access point policies value.

Unless your bucket policy also allows anonymous GetObject by default your objects will not be public.