AI CloudAdvisor (Beta)

My Presets

You must be logged in to save or view your saved configuration templates

Security Controls

Service Control PoliciesConfig RulesCloudWatch Alarms and Event RulesCloudFormation Guard RulesLogging & Monitoring ConfigurationsBackups & DRAuto Remediation RulesConformance PacksBilling and Cost ManagementS3 Bucket PoliciesSecurity Groups & NACLsIAM PoliciesVPC Endpoint Policies

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

AI CloudAdvisor (Beta)

Configuration Stack
0

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

S3 Bucket Policies

Restrict S3 bucket read access to a Cloudfront origin.

An S3 Bucket policy that denies any requests to read objects in an S3 bucket that don't come from a specific Cloudfront distribution. You must specify the canonical user ID for your CloudFront distribution's origin access identity.

Try out CloudAdvisor: Your AI-Powered Assistant for AWS Cloud

Missing Parameters
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": {
                "AWS": [
                    "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity "
                ]
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::/*"
            ],
            "Effect": "Allow",
            "Condition": ""
        },
        {
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity "
                ]
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::/*"
            ],
            "Effect": "Deny",
            "Condition": ""
        }
    ]
}

Actions



Customize Template

Policy Parameters

* Required field

Upgrade to Premium for More Features
Sign up

Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configuration Packages
Pre-built packages for common configuration
Common SCPs
CloudFormation Guard Rules
Auto Remediation Rules
IAM Monitoring & Compliance
All Packages
Automated Assessments
  • 350+ security checks
  • Well-architected reviews
  • Detailed compliance reports
  • Remediation templates
  • Email summaries
  • Learn more