我有以下政策:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "Stmt1395852960432",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
但是,这会拒绝来自所有请求者的请求,甚至是Cloudfront。这样做的正确方法是什么?
问题是客户端使用公共读取创建了对象。我目前没有立即控制客户端来更改此设置。所以我想要的是拥有一个覆盖单个对象ACL的策略。所以默认拒绝在这里不起作用。
答案 0 :(得分:18)
S3政策看起来像这样:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"
}
]
}
但是,我没有手动生成这个。在cloudfront中添加原点(S3)时,您可以选择"限制存储桶访问" - 告诉"是"在这里继续前进。 Cloudfront配置将自动为您完成剩下的工作。
此处详细信息:Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content - Amazon CloudFront。
答案 1 :(得分:9)
这就是你要找的东西。将XXXXXXXXXXXXXX替换为您的原始访问ID
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your.bucket.com/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your.bucket.com/*"
}
]
}