Creating an S3 bucket policy that allows access to Cloudfront but restricts access to anyone else

Question

I have the following policy:

{
        \"Version\": \"2008-10-17\",
        \"Id\": \"PolicyForCloudFrontPrivateContent\",
        \"Statement\": [
                  


        

Answer 1

This is what you're looking for. Replace XXXXXXXXXXXXXX with you origin access id

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AddPerm",
        "Effect": "Deny",
        "NotPrincipal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::your.bucket.com/*"
    },
    {
        "Sid": "2",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::your.bucket.com/*"
    }
]
}

Answer 2

The S3 policy will look like something like this:

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"
    }
 ]
}

But, I didnt manually generate this. When you add an origin (S3) in cloudfront, you have an option to "Restrict Bucket Access" - tell "Yes" here and move forward. Cloudfront configuration will do the rest automatically for you.

Details here: Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content - Amazon CloudFront.