Amazon s3 创建允许访问Cloudfront但限制其他任何人访问的S3 bucket策略
我有以下政策:Amazon s3 创建允许访问Cloudfront但限制其他任何人访问的S3 bucket策略,amazon-s3,amazon-cloudfront,Amazon S3,Amazon Cloudfront,我有以下政策: { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "Stmt1395852960432", "Action": "s3:*", "Effect": "Deny",
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "Stmt1395852960432",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
问题在于,对象是由具有公共读取的客户端创建的。我目前无法立即控制客户端更改此设置。所以我想要的是有一个覆盖单个对象ACL的策略。因此,此处的默认拒绝不起作用。S3策略将如下所示:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"
}
]
}
此处的详细信息: 这就是你要找的。用您的原始访问id替换XXXXXXXXXXXXX
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your.bucket.com/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your.bucket.com/*"
}
]
}
我也有同样的问题。AWS手册很难阅读。对我来说,我错过了
OriginsYes,Update Bucket Policy