Required permissions for actions on distributions Required permissions for actions on invalidations Required permissions for actions on origin access identities Required permissions for CloudFront actions related to Lambda@Edge Required permissions for actions on tags

CloudFront API permissions: actions, resources, and conditions reference

When you are setting up Access control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following tables as a reference. The tables list each CloudFront API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your CloudFront policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Topics

Required permissions for actions on distributions
Required permissions for actions on invalidations
Required permissions for actions on origin access identities
Required permissions for CloudFront actions related to Lambda@Edge
Required permissions for actions on tags

Required permissions for actions on distributions

CreateDistribution

Required Permissions (API Action):

cloudfront:CreateDistribution
acm:ListCertificates (CloudFront console only)
Only if you configure CloudFront to save access logs:
- s3:GetBucketAcl
- s3:PutBucketAcl
- The S3 ACL for the bucket must grant you FULL_CONTROL

Resources:

CloudFront: *
ACM: *
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

CreateDistributionWithTags

Required Permissions (API Action):

cloudfront:CreateDistribution, cloudfront:TagResource
acm:ListCertificates (CloudFront console only)
Only if you configure CloudFront to save access logs:
- s3:GetBucketAcl
- s3:PutBucketAcl
- The S3 ACL for the bucket must grant you FULL_CONTROL

Resources:

CloudFront: *
ACM: *
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

GetDistribution

Required Permissions (API Action): cloudfront:GetDistribution, acm:ListCertificates (CloudFront console only)

Resources: *

GetDistributionConfig

Required Permissions (API Action): cloudfront:GetDistributionConfig, acm:ListCertificates (CloudFront console only)

Resources: *

ListDistributions

Required Permissions (API Action): cloudfront:ListDistributions

Resources: *

UpdateDistribution

Required Permissions (API Action):

cloudfront:UpdateDistribution
acm:ListCertificates (CloudFront console only)
Only if you configure CloudFront to save access logs:
- s3:GetBucketAcl
- s3:PutBucketAcl
- The S3 ACL for the bucket must grant you FULL_CONTROL

Resources:

CloudFront: *
ACM: *
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

DeleteDistribution

Required Permissions (API Action): cloudfront:DeleteDistribution

Resources: *

Required permissions for actions on invalidations

CreateInvalidation

Required Permissions (API Action): cloudfront:CreateInvalidation

Resources: *

GetInvalidation

Required Permissions (API Action): cloudfront:GetInvalidation

Resources: *

ListInvalidations

Required Permissions (API Action): cloudfront:ListInvalidations

Resources: *

Required permissions for actions on origin access identities

CreateCloudFrontOriginAccessIdentity

Required Permissions (API Action): cloudfront:CreateCloudFrontOriginAccessIdentity

Resources: *

GetCloudFrontOriginAccessIdentity

Required Permissions (API Action): cloudfront:GetCloudFrontOriginAccessIdentity

Resources: *

GetCloudFrontOriginAccessIdentityConfig

Required Permissions (API Action): cloudfront:GetCloudFrontOriginAccessIdentityConfig

Resources: *

ListCloudFrontOriginAccessIdentities

Required Permissions (API Action): cloudfront:ListCloudFrontOriginAccessIdentities

Resources: *

UpdateCloudFrontOriginAccessIdentity

Required Permissions (API Action): cloudfront:UpdateCloudFrontOriginAccessIdentity

Resources: *

DeleteCloudFrontOriginAccessIdentity

Required Permissions (API Action): cloudfront:DeleteCloudFrontOriginAccessIdentity

Resources: *

Required permissions for CloudFront actions related to Lambda@Edge

To use Lambda@Edge, you need the following CloudFront permissions so you can create or update a distribution that includes triggers for Lambda functions.

CreateDistribution

Required Permissions (API Action):

cloudfront:CreateDistribution
acm:ListCertificates (CloudFront console only)
Only if you configure CloudFront to save access logs:
- s3:GetBucketAcl
- s3:PutBucketAcl
- The S3 ACL for the bucket must grant you FULL_CONTROL

Resources:

CloudFront: *
ACM: *
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

CreateDistributionWithTags

Required Permissions (API Action):

cloudfront:CreateDistribution, cloudfront:TagResource
acm:ListCertificates (CloudFront console only)
Only if you configure CloudFront to save access logs:
- s3:GetBucketAcl
- s3:PutBucketAcl
- The S3 ACL for the bucket must grant you FULL_CONTROL

Resources:

CloudFront: *
ACM: *
Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.

UpdateDistribution

Required Permissions (API Action):

cloudfront:UpdateDistribution
acm:ListCertificates (CloudFront console only)
Only if you configure CloudFront to save access logs:
- s3:GetBucketAcl
- s3:PutBucketAcl
- The S3 ACL for the bucket must grant you FULL_CONTROL

Resources: