CloudFront API Permissions: Actions, Resources, and Conditions Reference
When you are setting up Access Control and writing a permissions policy
that you can attach to an IAM identity (identity-based policies), you can use the
following tables
as a reference. The tables list
each CloudFront API operation, the corresponding actions for which you can grant
permissions to perform the action, and the AWS resource for which you can grant
the permissions. You specify the actions in the policy's
Action
field, and you specify the resource value in the policy's Resource
field.
You can use AWS-wide condition keys in your CloudFront policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.
Topics
- Required Permissions for Actions on Web Distributions
- Required Permissions for Actions on RTMP Distributions
- Required Permissions for Actions on Invalidations
- Required Permissions for Actions on Origin Access Identities
- Required Permissions for CloudFront Actions Related to Lambda@Edge
- Required Permissions for Actions on Tags
Required Permissions for Actions on Web Distributions
- CreateDistribution
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution
-
acm:ListCertificates
(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- CreateDistributionWithTags
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution
,cloudfront:TagResource
-
acm:ListCertificates
(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- GetDistribution
-
Required Permissions (API Action):
cloudfront:GetDistribution
,acm:ListCertificates
(CloudFront console only)Resources:
*
- GetDistributionConfig
-
Required Permissions (API Action):
cloudfront:GetDistributionConfig
,acm:ListCertificates
(CloudFront console only)Resources:
*
- ListDistributions
-
Required Permissions (API Action):
cloudfront:ListDistributions
Resources:
*
- UpdateDistribution
-
Required Permissions (API Action):
-
cloudfront:UpdateDistribution
-
acm:ListCertificates
(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- DeleteDistribution
-
Required Permissions (API Action):
cloudfront:DeleteDistribution
Resources:
*
Required Permissions for Actions on RTMP Distributions
- CreateStreamingDistribution
-
Required Permissions (API Action):
cloudfront:CreateStreamingDistribution
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
Resources:
*
If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- CreateStreamingDistributionWithTags
-
Required Permissions (API Action):
cloudfront:CreateStreamingDistribution
,cloudfront:TagResource
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
Resources:
*
If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- GetStreamingDistribution
-
Required Permissions (API Action):
cloudfront:GetStreamingDistribution
Resources:
*
- GetStreamingDistributionConfig
-
Required Permissions (API Action):
cloudfront:GetStreamingDistributionConfig
Resources:
*
- ListStreamingDistributions
-
Required Permissions (API Action):
cloudfront:ListStreamingDistributions
Resources:
*
- UpdateStreamingDistribution
-
Required Permissions (API Action):
cloudfront:UpdateStreamingDistribution
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
Resources:
*
If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- DeleteStreamingDistribution
-
Required Permissions (API Action):
cloudfront:DeleteDistribution
Resources:
*
Required Permissions for Actions on Invalidations
- CreateInvalidation
-
Required Permissions (API Action):
cloudfront:CreateInvalidation
Resources:
*
- GetInvalidation
-
Required Permissions (API Action):
cloudfront:GetInvalidation
Resources:
*
- ListInvalidations
-
Required Permissions (API Action):
cloudfront:ListInvalidations
Resources:
*
Required Permissions for Actions on Origin Access Identities
- CreateCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:CreateCloudFrontOriginAccessIdentity
Resources:
*
- GetCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:GetCloudFrontOriginAccessIdentity
Resources:
*
- GetCloudFrontOriginAccessIdentityConfig
-
Required Permissions (API Action):
cloudfront:GetCloudFrontOriginAccessIdentityConfig
Resources:
*
- ListCloudFrontOriginAccessIdentities
-
Required Permissions (API Action):
cloudfront:ListCloudFrontOriginAccessIdentities
Resources:
*
- UpdateCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:UpdateCloudFrontOriginAccessIdentity
Resources:
*
- DeleteCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:DeleteCloudFrontOriginAccessIdentity
Resources:
*
Required Permissions for CloudFront Actions Related to Lambda@Edge
To use Lambda@Edge, you need the following CloudFront permissions so you can create or update a distribution that includes triggers for Lambda functions. For information about the Lambda permissions that you need, see Setting IAM Permissions in the "AWS Lambda@Edge" chapter in the AWS Lambda Developer Guide.
- CreateDistribution
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution
-
acm:ListCertificates
(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- CreateDistributionWithTags
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution
,cloudfront:TagResource
-
acm:ListCertificates
(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- UpdateDistribution
-
Required Permissions (API Action):
-
cloudfront:UpdateDistribution
-
acm:ListCertificates
(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl
-
s3:PutBucketAcl
-
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
Required Permissions for Actions on Tags
- TagResource
-
Required Permissions (API Action):
cloudfront:TagResource
Resources:
*
- UntagResource
-
Required Permissions (API Action):
cloudfront:UntagResource
Resources:
*
- ListTagsForResource
-
Required Permissions (API Action):
cloudfront:ListTagsForResource
Resources:
*