1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
2
Assuming that the S3 bucket is private and that an OAI has been created. In the bucket policy, add the prefix "public" to the ARN :
"Resource": "arn:aws:s3:::mybucket/public/*"
You could also add an explicit deny statement:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHIJ1234"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket/private/*"
}
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 9 mesi fa
Ok, OAI has already been created and I've updated the bucket policy regarding to your answer (finetuned the "Allow" statement and added also the "Deny" statement.
Do you mean that this explicitly prevents distribution of the "private" directory? I just want to be sure.
With this bucket policy, CloudFront has no access to the private directory.
Also, look at the S3 Access Analyzer to see if any other policy is allowing access to the 'private' prefix.