Amazon web services Cloudfront访问被拒绝
我正在尝试使用Cloudformation创建一个具有S3源的Cloudfront。我想限制S3对象只能通过Cloudfront访问。然而,我使用S3直接url和Cloudfront url都被拒绝访问Amazon web services Cloudfront访问被拒绝,amazon-web-services,amazon-cloudformation,amazon-cloudfront,Amazon Web Services,Amazon Cloudformation,Amazon Cloudfront,我正在尝试使用Cloudformation创建一个具有S3源的Cloudfront。我想限制S3对象只能通过Cloudfront访问。然而,我使用S3直接url和Cloudfront url都被拒绝访问 AWSTemplateFormatVersion: "2010-09-09" Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: Private Clo
AWSTemplateFormatVersion: "2010-09-09"
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
CloudFrontOriginIdentity:
Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: 'origin identity'
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginIdentity}'
Action: 's3:GetObject'
Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
CloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
CachedMethods:
- GET
- HEAD
- OPTIONS
Compress: true
DefaultTTL: 3600
ForwardedValues:
Cookies:
Forward: none
QueryString: false
MaxTTL: 86400
MinTTL: 60
TargetOriginId: s3origin
ViewerProtocolPolicy: 'redirect-to-https'
DefaultRootObject: 'index.html'
Enabled: true
HttpVersion: http2
Origins:
- DomainName: !GetAtt 'S3Bucket.DomainName'
Id: s3origin
S3OriginConfig:
OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CloudFrontOriginIdentity}'
在S3中,我得到了index.html,里面只有Hello
创建桶策略
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity xxxxxxxxxxxx"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mystack-s3bucket-xxxxxxxxxxx/*"
}
]
}
我在我的沙盒帐户中部署了你的模板。它按预期工作。桶,政策,CF发行版都很好,我的样本网站的作品 只要确保你使用CF域名从互联网上访问你的静态网站,而不是bucket url,因为我见过有人用CF错误地使用bucket url。它会有
ddd7asdf234sa.cloudfront.net
你能发布CFn创建的bucket策略吗?@jellycsc addedI使用该模板拒绝来自CF和s3 URL的访问。这可能与S3文件权限等有关吗?@Jayp您修改过吗?无论发生什么,这都不是你发布的模板的错。