Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
An S3 Bucket policy that denies any requests to read objects in an S3 bucket that don't come from a specific Cloudfront distribution. You must specify the canonical user ID for your CloudFront distribution's origin access identity.
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": [
"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity "
]
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::/*"
],
"Effect": "Allow",
"Condition": ""
},
{
"NotPrincipal": {
"AWS": [
"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity "
]
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::/*"
],
"Effect": "Deny",
"Condition": ""
}
]
}