Menu
Amazon CloudFront
Developer Guide (API Version 2016-09-07)

CloudFront API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following tables as a reference. The tables list each CloudFront API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your CloudFront policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Required Permissions for Actions on Web Distributions

CloudFront API OperationsRequired Permissions (API Actions)Resources

POST Distribution (CreateDistribution)

cloudfront:CreateDistribution

Only if you configure CloudFront to save access logs:

  • s3:GetBucketAcl

  • s3:PutBucketAcl

  • The S3 ACL for the bucket must grant you FULL_CONTROL

*

If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

POST Distribution With Tags (CreateDistributionWithTags)

cloudfront:CreateDistribution

cloudfront:TagResource

Only if you configure CloudFront to save access logs:

  • s3:GetBucketAcl

  • s3:PutBucketAcl

  • The S3 ACL for the bucket must grant you FULL_CONTROL

*

If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

GET Distribution (GetDistribution)

cloudfront:GetDistribution

*

GET Distribution Config (GetDistributionConfig)

cloudfront:GetDistributionConfig

*

GET Distribution List (ListDistributions)

cloudfront:ListDistributions

*

PUT Distribution Config (UpdateDistribution)

cloudfront:UpdateDistribution

Only if you configure CloudFront to save access logs:

  • s3:GetBucketAcl

  • s3:PutBucketAcl

  • The S3 ACL for the bucket must grant you FULL_CONTROL

*

If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

DELETE Distribution (DeleteDistribution)

cloudfront:DeleteDistribution

*


Required Permissions for Actions on RTMP Distributions

CloudFront API OperationsRequired Permissions (API Actions)Resources

POST Streaming Distribution (CreateStreamingDistribution)

cloudfront:CreateStreamingDistribution

Only if you configure CloudFront to save access logs:

  • s3:GetBucketAcl

  • s3:PutBucketAcl

  • The S3 ACL for the bucket must grant you FULL_CONTROL

*

If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

POST Streaming Distribution With Tags (CreateStreamingDistributionWithTags)

cloudfront:CreateStreamingDistribution

cloudfront:TagResource

Only if you configure CloudFront to save access logs:

  • s3:GetBucketAcl

  • s3:PutBucketAcl

  • The S3 ACL for the bucket must grant you FULL_CONTROL

*

If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

GET Streaming Distribution (GetStreamingDistribution)

cloudfront:GetStreamingDistribution

*

GET Streaming Distribution Config (GetStreamingDistributionConfig)

cloudfront:GetStreamingDistributionConfig

*

GET Streaming Distribution List (ListStreamingDistributions)

cloudfront:ListStreamingDistributions

*

PUT Streaming Distribution Config (UpdateStreamingDistribution)

cloudfront:UpdateStreamingDistribution

Only if you configure CloudFront to save access logs:

  • s3:GetBucketAcl

  • s3:PutBucketAcl

  • The S3 ACL for the bucket must grant you FULL_CONTROL

*

If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

DELETE Streaming Distribution (DeleteStreamingDistribution)

cloudfront:DeleteStreamingDistribution

*


Required Permissions for Actions on Invalidations

CloudFront API OperationsRequired Permissions (API Actions)Resources

POST Invalidation (CreateInvalidation)

cloudfront:CreateInvalidation

*

GET Invalidation (GetInvalidation)

cloudfront:GetInvalidation

*

GET Invalidation List (ListInvalidations)

cloudfront:ListInvalidations

*


Required Permissions for Actions on Origin Access Identities

CloudFront API OperationsRequired Permissions (API Actions)Resources

POST Origin Access Identity (CreateCloudFrontOriginAccessIdentity)

cloudfront:CreateCloudFrontOriginAccessIdentity

*

GET Origin Access Identity (GetCloudFrontOriginAccessIdentity)

cloudfront:GetCloudFrontOriginAccessIdentity

*

GET Origin Access Identity Config (GetCloudFrontOriginAccessIdentity)

cloudfront:GetCloudFrontOriginAccessIdentity

*

GET Origin Access Identity List (ListCloudFrontOriginAccessIdentities)

cloudfront:ListCloudFrontOriginAccessIdentities

*

PUT Origin Access Identity Config (UpdateCloudFrontOriginAccessIdentity)

cloudfront:UpdateCloudFrontOriginAccessIdentity

*

DELETE Origin Access Identity (DeleteCloudFrontOriginAccessIdentity)

cloudfront:DeleteCloudFrontOriginAccessIdentity

*


Required Permissions for Actions on Tags

CloudFront API OperationsRequired Permissions (API Actions)Resources

POST Tag Resource

cloudfront:TagResource

*

POST Untag Resource

cloudfront:UntagResource

*

GET Tags

cloudfront:ListTagsForResource

*