Amazon s3 创建允许访问Cloudfront但限制其他任何人访问的S3 bucket策略
我有以下政策:Amazon s3 创建允许访问Cloudfront但限制其他任何人访问的S3 bucket策略,amazon-s3,amazon-cloudfront,Amazon S3,Amazon Cloudfront,我有以下政策: { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "Stmt1395852960432", "Action": "s3:*", "Effect": "Deny",
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "Stmt1395852960432",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
然而,这会拒绝来自所有请求者的请求,即使是Cloudfront。正确的方法是什么
问题在于,对象是由具有公共读取的客户端创建的。我目前无法立即控制客户端更改此设置。所以我想要的是有一个覆盖单个对象ACL的策略。因此,此处的默认拒绝不起作用。S3策略将如下所示:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"
}
]
}
但是,我没有手动生成这个。当您在cloudfront中添加一个原点(S3)时,您可以选择“限制Bucket访问”-在此处告诉“是”,然后继续。Cloudfront配置将自动为您完成其余工作
此处的详细信息: 这就是你要找的。用您的原始访问id替换XXXXXXXXXXXXX
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your.bucket.com/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your.bucket.com/*"
}
]
}
我也有同样的问题。AWS手册很难阅读。对我来说,我错过了
Origins
选项卡和添加标识后的Yes,Update Bucket Policy
。如果仍然出现基于XML的AccessDenied错误,请确保在CloudFront发行版的General选项卡下指定默认根对象。将策略添加到S3 Bucket后,当通过CloudFront域访问我的S3存储桶时,我仍然被拒绝访问。