CloudFront API permissions: actions, resources, and conditions reference
When you are setting up Access control and
writing a permissions policy that you can attach to an IAM identity (identity-based
policies), you can use the following tables as a reference. The tables list each CloudFront
API operation, the corresponding actions for which you can grant permissions to
perform
the action, and the AWS resource for which you can grant the permissions. You specify
the actions in the policy's Action field, and you specify the resource
value in the policy's Resource field.
You can use AWS-wide condition keys in your CloudFront policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.
Topics
Required permissions for actions on distributions
- CreateDistribution
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- CreateDistributionWithTags
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution,cloudfront:TagResource -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- GetDistribution
-
Required Permissions (API Action):
cloudfront:GetDistribution,acm:ListCertificates(CloudFront console only)Resources:
* - GetDistributionConfig
-
Required Permissions (API Action):
cloudfront:GetDistributionConfig,acm:ListCertificates(CloudFront console only)Resources:
* - ListDistributions
-
Required Permissions (API Action):
cloudfront:ListDistributionsResources:
* - UpdateDistribution
-
Required Permissions (API Action):
-
cloudfront:UpdateDistribution -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- DeleteDistribution
-
Required Permissions (API Action):
cloudfront:DeleteDistributionResources:
*
Required permissions for actions on invalidations
- CreateInvalidation
-
Required Permissions (API Action):
cloudfront:CreateInvalidationResources:
* - GetInvalidation
-
Required Permissions (API Action):
cloudfront:GetInvalidationResources:
* - ListInvalidations
-
Required Permissions (API Action):
cloudfront:ListInvalidationsResources:
*
Required permissions for actions on origin access identities
- CreateCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:CreateCloudFrontOriginAccessIdentityResources:
* - GetCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:GetCloudFrontOriginAccessIdentityResources:
* - GetCloudFrontOriginAccessIdentityConfig
-
Required Permissions (API Action):
cloudfront:GetCloudFrontOriginAccessIdentityConfigResources:
* - ListCloudFrontOriginAccessIdentities
-
Required Permissions (API Action):
cloudfront:ListCloudFrontOriginAccessIdentitiesResources:
* - UpdateCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:UpdateCloudFrontOriginAccessIdentityResources:
* - DeleteCloudFrontOriginAccessIdentity
-
Required Permissions (API Action):
cloudfront:DeleteCloudFrontOriginAccessIdentityResources:
*
Required permissions for CloudFront actions related to Lambda@Edge
To use Lambda@Edge, you need the following CloudFront permissions so you can create or update a distribution that includes triggers for Lambda functions.
- CreateDistribution
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- CreateDistributionWithTags
-
Required Permissions (API Action):
-
cloudfront:CreateDistribution,cloudfront:TagResource -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
- UpdateDistribution
-
Required Permissions (API Action):
-
cloudfront:UpdateDistribution -
acm:ListCertificates(CloudFront console only) -
Only if you configure CloudFront to save access logs:
-
s3:GetBucketAcl -
s3:PutBucketAcl -
The S3 ACL for the bucket must grant you
FULL_CONTROL
-
Resources:
-
CloudFront: *
-
ACM: *
-
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
-
Required permissions for actions on tags
- TagResource
-
Required Permissions (API Action):
cloudfront:TagResourceResources:
* - UntagResource
-
Required Permissions (API Action):
cloudfront:UntagResourceResources:
* - ListTagsForResource
-
Required Permissions (API Action):
cloudfront:ListTagsForResourceResources:
*
