Amazon S3 origins with CloudFront
Amazon Simple Storage Service (Amazon S3) provides access controls in conjunction with AWS Identity and Access Managements3:GetObject
action in the bucket policy, Amazon S3
allows CloudFront distribution to access to the content.
{ "Version": "2012-10-17", "Statement": { "Sid": "AllowCloudFrontServicePrincipalReadOnly", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<S3 bucket name>/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>" } } } }
With this bucket policy set, you can turn on “Block all public access” to make the S3 bucket reachable only through CloudFront.