創建S3鬥政策，允許訪問的Cloudfront但限制其他任何人

Question

訪問，我有以下政策：

{ 
     "Version": "2008-10-17", 
     "Id": "PolicyForCloudFrontPrivateContent", 
     "Statement": [ 
      { 
       "Sid": "Stmt1395852960432", 
       "Action": "s3:*", 
       "Effect": "Deny", 
       "Resource": "arn:aws:s3:::my-bucket/*", 
       "Principal": { 
        "AWS": [ 
         "*" 
        ] 
       } 
      }, 
      { 
       "Sid": "1", 
       "Effect": "Allow", 
       "Principal": { 
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN" 
       }, 
       "Action": "s3:GetObject", 
       "Resource": "arn:aws:s3:::my-bucket/*" 
      } 
     ] 
    } 

從所有的請求。然而，這種否認請求，即使的Cloudfront。什麼是正確的方法來做到這一點？

問題是客戶端使用公共讀取創建對象。我目前沒有立即控制客戶端來更改此設置。所以我想要的是制定一個覆蓋單個對象ACL的策略。所以默認拒絕這裏不起作用。

Answer 1

的S3政策看起來就像是這樣的：

{ 
"Version": "2008-10-17", 
"Id": "PolicyForCloudFrontPrivateContent", 
"Statement": [ 
    { 
     "Sid": "1", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX" 
     }, 
     "Action": "s3:GetObject", 
     "Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*" 
    } 
] 
} 

但是，我沒有手動生成此。當您在雲端添加原點（S3）時，您可以選擇「限制桶訪問」 - 在此處指示「是」並繼續前進。 Cloudfront配置會爲您自動完成剩餘的工作。

詳情在這裏：Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content - Amazon CloudFront。

Answer 2

這就是你要找的。將XXXXXXXXXXXXXX替換爲您的原始訪問ID

{ 
"Version": "2012-10-17", 
"Statement": [ 
    { 
     "Sid": "AddPerm", 
     "Effect": "Deny", 
     "NotPrincipal": { 
      "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX" 
     }, 
     "Action": "s3:GetObject", 
     "Resource": "arn:aws:s3:::your.bucket.com/*" 
    }, 
    { 
     "Sid": "2", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX" 
     }, 
     "Action": "s3:GetObject", 
     "Resource": "arn:aws:s3:::your.bucket.com/*" 
    } 
] 
}