创建S3斗政策，允许访问的Cloudfront但限制其他任何人

Question

访问，我有以下政策：

{ 
     "Version": "2008-10-17", 
     "Id": "PolicyForCloudFrontPrivateContent", 
     "Statement": [ 
      { 
       "Sid": "Stmt1395852960432", 
       "Action": "s3:*", 
       "Effect": "Deny", 
       "Resource": "arn:aws:s3:::my-bucket/*", 
       "Principal": { 
        "AWS": [ 
         "*" 
        ] 
       } 
      }, 
      { 
       "Sid": "1", 
       "Effect": "Allow", 
       "Principal": { 
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN" 
       }, 
       "Action": "s3:GetObject", 
       "Resource": "arn:aws:s3:::my-bucket/*" 
      } 
     ] 
    } 

从所有的请求。然而，这种否认请求，即使的Cloudfront。什么是正确的方法来做到这一点？

问题是客户端使用公共读取创建对象。我目前没有立即控制客户端来更改此设置。所以我想要的是制定一个覆盖单个对象ACL的策略。所以默认拒绝这里不起作用。

Answer 1

的S3政策看起来就像是这样的：

{ 
"Version": "2008-10-17", 
"Id": "PolicyForCloudFrontPrivateContent", 
"Statement": [ 
    { 
     "Sid": "1", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX" 
     }, 
     "Action": "s3:GetObject", 
     "Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*" 
    } 
] 
} 

但是，我没有手动生成此。当您在云端添加原点（S3）时，您可以选择“限制桶访问” - 在此处指示“是”并继续前进。 Cloudfront配置会为您自动完成剩余的工作。

详情在这里：Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content - Amazon CloudFront。

Answer 2

这就是你要找的。将XXXXXXXXXXXXXX替换为您的原始访问ID

{ 
"Version": "2012-10-17", 
"Statement": [ 
    { 
     "Sid": "AddPerm", 
     "Effect": "Deny", 
     "NotPrincipal": { 
      "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX" 
     }, 
     "Action": "s3:GetObject", 
     "Resource": "arn:aws:s3:::your.bucket.com/*" 
    }, 
    { 
     "Sid": "2", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX" 
     }, 
     "Action": "s3:GetObject", 
     "Resource": "arn:aws:s3:::your.bucket.com/*" 
    } 
] 
}