Bootstrap FreeKB - Amazon Web Services (AWS) - CloudFront Distributions with non-public S3 Bucket
Amazon Web Services (AWS) - CloudFront Distributions with non-public S3 Bucket


CloudFront is an Amazon Web Services (AWS) Content Delivery Network (CDN) service. One option is to return objects (files) in an S3 Bucket. I found it much easier to first use a public S3 Bucket when first learning about CloudFront Distributions so you may want to check out my article Amazon Web Services (AWS) - Getting Started with CloudFront Distributions with public S3 Bucket.

For example, let's say you have an index.html file in your S3 Bucket.

 

Let's create a CloudFront Distribution that uses the S3 Bucket as the origin.

 

Or, the CloudFront Distribution could be created using the aws cloudfront create-distribution command.

aws cloudfront create-distribution --origin-domain-name my-bucket-abc123.s3.amazonaws.com --default-root-object index.html

 

By default, S3 Buckets are set to block all public access. 

 

Assuming your S3 Bucket is configured to block all public access, let's also go with "Origin access control settings (recommended)" so that we can keep the S3 Bucket configured to block all public access

 

After creating the CloudFront Distribution, there should be a banner. Let's Copy policy.

 

The policy JSON will be something like this.

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket-abc123/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/E3P9XL2JIBYIF"
                }
            }
        }
    ]
}

 

Let's update the S3 Bucket Policy to have the JSON.

 

You should now have a Distribution domain name (d25ajrhgrwb9yb.cloudfront.net in this example). It may take a while, perhaps about 5 minutes, for the Distribution to be ready. Once Last modified shows a date and time, the Distribution should be good to go.

 

And there should be a behavior that contains HTTP and HTTPS for your S3 Bucket.

 

And you would think you should immediately be able to retrieve the file in your S3 Bucket using the URL of your CloudFront Distribution, such as d25ajrhgrwb9yb.cloudfront.net/index.html. But, it seems that AccessDenied is often returned when you try to get a file from your S3 Bucket shortly after the CloudFront Distribution has been created. You might just need to wait overnight before you can retrieve the files in your S3 Bucket via the CloudFront Distribution URL, as eluded to in this Stack Overflow post.

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter a70de8 in the box below so that we can be sure you are a human.