CloudFront API Permissions: Actions, Resources, and Conditions Reference
When you are setting up Access Control and writing a permissions policy
that you can attach to an IAM identity (identity-based policies), you can use the
following tables
as a reference. The tables list
each CloudFront API operation, the corresponding actions for which you can grant
permissions to perform the action, and the AWS resource for which you can grant
the permissions. You specify the actions in the policy's
Action field, and you specify the resource value in the policy's Resource field.
You can use AWS-wide condition keys in your CloudFront policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.
Topics
Required permissions for actions on distributions
- CreateDistribution
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- CreateDistributionWithTags
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution,cloudfront:TagResource -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- GetDistribution
-
Required Permissions (API Action):
cloudfront:GetDistribution,acm:ListCertificates(CloudFront console only)Resources:
* - GetDistributionConfig
-
Required Permissions (API Action):
cloudfront:GetDistributionConfig,acm:ListCertificates(CloudFront console only)Resources:
* - ListDistributions
-
Required Permissions (API Action):
cloudfront:ListDistributionsResources:
* - UpdateDistribution
-
Required Permissions (API Action):
-
cloudfront:UpdateDistribution -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- DeleteDistribution
-
Required Permissions (API Action):
cloudfront:DeleteDistributionResources:
*
Required permissions for actions on invalidations
- CreateInvalidation
-
Required Permissions (API Action):
cloudfront:CreateInvalidationResources:
* - GetInvalidation
-
Required Permissions (API Action):
cloudfront:GetInvalidationResources:
* - ListInvalidations
-
Required Permissions (API Action):
cloudfront:ListInvalidationsResources:
*
Required permissions for actions on origin access identities
- CreateCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:CreateCloudFrontOriginAccessIdentityResources:
* - GetCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:GetCloudFrontOriginAccessIdentityResources:
* - GetCloudFrontOriginAccessIdentityConfig
-
Required Permissions (API Action):
cloudfront:GetCloudFrontOriginAccessIdentityConfigResources:
* - ListCloudFrontOriginAccessIdentities
-
Required Permissions (API Action):
cloudfront:ListCloudFrontOriginAccessIdentitiesResources:
* - UpdateCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:UpdateCloudFrontOriginAccessIdentityResources:
* - DeleteCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:DeleteCloudFrontOriginAccessIdentityResources:
*
Required permissions for CloudFront actions related to Lambda@Edge
To use Lambda@Edge, you need the following CloudFront permissions so you can create or update a distribution that includes triggers for Lambda functions. For information about the Lambda permissions that you need, see Setting IAM Permissions in the "AWS Lambda@Edge" chapter in the AWS Lambda Developer Guide.
- CreateDistribution
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- CreateDistributionWithTags
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution,cloudfront:TagResource -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- UpdateDistribution
-
Required Permissions (API Action):
-
cloudfront:UpdateDistribution -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
Required Permissions for actions on tags
- TagResource
-
Required Permissions (API Action):
cloudfront:TagResourceResources:
* - UntagResource
-
Required Permissions (API Action):
cloudfront:UntagResourceResources:
* - ListTagsForResource
-
Required Permissions (API Action):
cloudfront:ListTagsForResourceResources:
*
