Amazon CloudFront
Developer Guide (API Version 2013-05-12)
AWS Documentation » Amazon CloudFront » Developer Guide » Using IAM to Control Access to CloudFront Resources
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Using IAM to Control Access to CloudFront Resources

Topics

Amazon CloudFront integrates with AWS Identity and Access Management (IAM) so that you can create Users for your AWS Account and you can specify which CloudFront actions a User (or a group of Users) can perform in your AWS Account. You control User access to CloudFront by creating policies that describe User or group permissions. For example, you might create a policy that gives only certain Users in your organization permission to use GetDistributionConfig. They could then use the action to retrieve data about your CloudFront distributions.

For more information on using policies to set AWS Account User permissions, go to Permissions and Policies in Using AWS Identity and Access Management. For general information about IAM, go to AWS Identity and Access Management on the AWS website.

Important

Using Amazon CloudFront with IAM doesn't change how you use CloudFront. There are no changes to CloudFront actions, and no new CloudFront actions related to Users and access control.

CloudFront Resources

You use an asterisk (*) as the resource when writing a policy to control access to CloudFront actions. This is because you can't use IAM to control access to specific CloudFront resources. For example, you can't give Users access to a specific distribution. Permissions granted using IAM include all the resources you use with CloudFront. Because you cannot specify the resources to control access to, there are no CloudFront resource ARNs (Amazon Resource Names) for you to use in an IAM policy. (For detailed information about using ARNs with IAM, go to "ARNs" in the Identifiers for IAM Entities section of Using AWS Identity and Access Management.)

CloudFront Actions

In an IAM policy, you can specify any and all API actions that CloudFront offers. The action name must be prefixed with the lowercase string cloudfront:. For example: cloudfront:GetDistributionConfig, cloudfront:ListInvalidations, or cloudfront:* (for all CloudFront actions).

The following tables list the canonical names for all CloudFront actions. Use these canonical names when specifying APIs in IAM policies.

Download Distributions

API Actions for Download DistributionsCanonical Name

POST Distribution

CreateDistribution

GET Distribution

GetDistribution

GET Distribution Config

GetDistributionConfig

PUT Distribution Config

UpdateDistribution

GET Distribution List

ListDistributions

DELETE Distribution

DeleteDistribution

Streaming Distributions

API Actions for Streaming DistributionsCanonical Name

POST Streaming Distribution

CreateStreamingDistribution

GET Streaming Distribution

GetStreamingDistribution

GET Streaming Distribution Config

GetStreamingDistributionConfig

PUT Streaming Distribution Config

UpdateStreamingDistribution

GET Streaming Distribution List

ListStreamingDistributions

DELETE Streaming Distribution

DeleteStreamingDistribution

Invalidations

API Actions for InvalidationsCanonical Name

POST Invalidation

CreateInvalidation

GET Invalidation

GetInvalidation

GET Invalidation List

ListInvalidations

Origin Access Identities

API Action for Origin Access IdentitiesCanonical Name

POST Origin Access Identity

CreateCloudFrontOriginAccessIdentity

GET Origin Access Identity

GetCloudFrontOriginAccessIdentity

GET Origin Access Identity Config

GetCloudFrontOriginAccessIdentityConfig

PUT Origin Access Identity Config

UpdateCloudFrontOriginAccessIdentity

GET Origin Access Identity List

ListCloudFrontOriginAccessIdentities

DELETE Origin Access Identity

DeleteCloudFrontOriginAccessIdentity

Policy Keys

Policy keys enable you to add conditions to your policies, such as request date or IP range. CloudFront implements the AWS-wide policy keys, but no others. For more information about policy keys, see "Condition" in the Element Descriptions section of Using AWS Identity and Access Management.

Example Policies for CloudFront

This section shows a few simple policies for controlling user access to CloudFront.

Note

In the future, CloudFront might add new actions that should logically be included in one of the following policies, based on the policy's stated goals.

Example 1: Allow a group read and write access to all of resources owned by the account

This example creates a policy that is attached to a group (for example, the Developers group) to give the group read and write access to all CloudFront resources.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":["cloudfront:*"],
      "Resource":"*"
      }
   ]
}

Example 2: Allow a group read access to all of resources owned by the account

This example creates a policy that is attached to a group (for example, the Finance group) to give the group read access to all CloudFront resources.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":["cloudfront:Get*", "cloudfront:List*"],
      "Resource":"*"
      }
   ]
}

Example 3: Allow a group read and write access to all distributions owned by the account

This example creates a policy that is attached to a group (for example, the Ops group) to give the group read and write access to all distributions, but not access to invalidations or origin access identities.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":["cloudfront:*Distribution*"],
      "Resource":"*"
      }
   ]
}

Example 4: Allow a group to retrieve CloudFront distribution data, but only if they're using SSL with the request

This example creates a policy that is attached to a group to give the group access to all CloudFront actions, with a condition that requires use of SSL.

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":["cloudfront:*"],
      "Resource":"*",
      "Condition":{
         "Bool":{
            "aws:SecureTransport":"true"
            }
         }
      }
   ]
}

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...