Link to home
Start Free TrialLog in
Avatar of Shalom Carmel
Shalom CarmelFlag for Israel

asked on

Cross account Cloudfront access to private S3 bucket

I have a non-public S3 bucket XXX on account X, and a CloudFront distribution on account Y that needs to use that bucket as the origin.

What I did so far:

* Added the canonical id of account Y to the permissions of bucket XXX - I get 403 errors.
* Added a bucket policy to bucket XXX - I still get 403 errors
{
    "Version": "2012-10-17",
    "Id": "Policy1234567890",
    "Statement": [
        {
            "Sid": "AllowRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountY:root"
            },
            "Action": "s3:Get*",
            "Resource": "arn:aws:s3:::XXX/*"
        },
        {
            "Sid": "AllowList",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountY:root"
            },
            "Action": "s3:List*",
            "Resource": "arn:aws:s3:::XXX/*"
        }
    ]
}

Open in new window


Any verified suggestions on how to do this?
Avatar of Ramasamy P
Ramasamy P
Flag of India image

s3:Get* might looks a valid statement and few cases it won't.    

Use  "S3:GetObject"  and "ListBucket" attributes with respective location will resolve the issue.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.