By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Enabling CORS policy for public S3 object delivered through CloudFront

0

I have an S3 object that should be publicly accessible but only from specified domains. The object is accessed through a CloudFront custom url.

I have tried the below steps:

  1. Set S3 bucket permission to Public
  2. Set 'Origin request policy name' = 'Managed-CORS-S3Origin behavior' in CloudFront distribution according to this post on aws knowledge center so CloudFront passes origin
  3. Added CORS policy to S3 bucket as below. https://www.example.com replaced with domain I want to provide access to.
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "https://www.example.com"
        ],
        "ExposeHeaders": [
            "Access-Control-Allow-Origin"
        ]
    }
]

While I am able to access the object from specified domain, I am also able to access it from domains NOT specified under AllowedOrigins in the CORS policy.

Looking for some direction on how best to fix this so access is restricted to specified domains only.

Thanks!

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon CloudFront
Language
English
rePost-User-4713821
asked a year ago313 views
1 Answer
0

You need to BLOCK Public permission on the bucket, otherwise everyone from everywhere can access it

German Rizo
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content