I am trying to set up a cloud front distribution for my S3 bucket. Currenty that S3 bucket is used by different users and the bucket policy is set for those users. I want to set up cloudfront distribution for a completely different user X.
I have created the distribution, added user X to the trusted signer. Now I understand that I need to create an origin access identity and modify the bucket policy to give access to that identity so that CF can access that bucket.
I want to make sure that I don't take away S3 bucket access from the users that already has it and give permission to CF to access that bucket. I have modified the bucket policy like shown below. Is this the right way to do so?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": “1”,
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::AAAAAAA/*”
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDEFGHI”
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::AAAAAAA/*”
}
]
}
Yes, this seems correct.
IAM policies (including bucket policies) are processed using this logic:
In the current case, some requests match one statement, some match the other, and in both cases, the request is allowed. Any request matching neither statement would be implicitly denied.
Where some people get tripped up is by not fully understanding the fact that no matching deny statement is ever overridden by a matching allow, but every matching allow statement is always overridden by a matching deny. Your statements do not deny, so this isn't an issue.
Note also that all policy statements are tested, so the order of the statement declarations is not important.
The order in which the policies are evaluated has no effect on the outcome of the evaluation. All policies are evaluated, and the result is always that the request is either allowed or denied.
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html