I've an S3 static website which I want to be only accessible via Cloudfront.
I can safeguard the bucket with the below policy
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucketname/*",
"Condition": {
"StringEquals": {
"aws:UserAgent": "SecretHash"
}
}
}
]
}
And having the custom header User-Agent set to secret hash on the origin of the CF distribution.
My trouble comes with maintaining it as IaC.
The bucket is straight forward enough
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: '*'
Action:
- s3:GetObject
Resource: arn:aws:s3:::mybucketname/*
Condition:
StringEquals:
aws:UserAgent: "SecretHash".
I'm struggling to add this to the origin in serverless for the cloudfront distro's origin below
Origins:
-
DomainName: mybucketsite.com
# OriginPath: mybucketorigin
Id: bucketsitepath
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: 'http-only'
I've no doubt i'm having a dumb moment, but any help would be gratefully received
Why to maintain a secret-hash and write a custom policy when AWS has already done it for you.
You can use origin access control (OAC) and origin access identity (OAI) to ensure that your private bucket is only accessible by CloudFront.
Read this post for learn more about OAI and OAC - Restricting access to an Amazon S3 origin
Also, refer to this pattern at ServerlessLand to learn how to do it using IaC - CloudFront to S3 with OAI
Another useful post from AWS Knowledge Center - How do I use my CloudFront distribution to restrict access to an Amazon S3 bucket?