- 新しい順
- 投票が多い順
- コメントが多い順
That banner will show up any time you modify the origin configuration in CloudFront. It just serves as a reminder, and is not actually indicating that your bucket policy is misconfigured.
If you are able to access the S3 bucket via the CloudFront distribution url, while block public access is enabled, then your OAC and bucket policy are likely configured correctly.
You can test this by removing the bucket policy and then creating an invalidation in CloudFront to clear the cache. An invalidation of /* will clear the entire cache. If you don't invalidate the cache CloudFront will continue to serve objects from the cache.
Once the invalidation is complete you can try accessing bucket objects through the CloudFront distribution url. You should see an Access Denied message confirming that the bucket policy has been removed.
Once you add back the bucket policy you'll once again be able to access your objects from the CloudFront distribution url.
I understand you are seeing the challenge in setting up cloudfront.
You are in right direction as you already highlighted the difference, there is re:Post Knowledge Center Article, please follow that as is, you should be able to pass the error.
Additional Reference:
Restricting access to an Amazon S3 origin
Hope you find this helpful.
Comment here if you have additional questions or see any issues further, happy to help.
Abhishek
Thanks for the fast response. Your references contain a newer version of the bucket policy than the one that the CloudFront configuration generates automatically. I updated the newer version of the bucket policy with my Resource and AWS:SourceArn values from the CloudFront recommended policy. I ran the Access Analyzer which reported no errors, and saved the updated policy.
Unfortunately, if I go back to CloudFront, edit my Origin Settings, and "Save changes" , I get the same banner as before. I can access the S3 bucket via the CloudFront distribution endpoint, but I believe that worked before I set OAC. I verified that the S3 bucket has "Block all public access=On".
Thanks for the clarification. I deleted the bucket policy and got AccessDenied with OAC enabled or if I switched CloudFront to Public. When I restored the bucket policy and enabled OAC, I was able to access my website. Switching CloudFront to Public returned AccessDenied, which is expected since my S3 bucket is not set to public.
The wording of the banner seems a bit 'strong' - it implies that the GUI is checking the S3 bucket policy rather than reminding me to check. If anything, it should get me to check if the permissions are too lax - I will know if I did not implement the bucket policy because of the AccessDenied errors.
Thank you, thats great feedback!