【发布时间】:2021-03-06 09:49:33
【问题描述】:
我正在尝试使用 Cloudformation 创建具有 S3 源的 Cloudfront。我想将 S3 对象限制为只能通过 Cloudfront 访问。但是,我使用 S3 直接 url 和 Cloudfront url 都被拒绝访问。
AWSTemplateFormatVersion: "2010-09-09"
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
CloudFrontOriginIdentity:
Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: 'origin identity'
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginIdentity}'
Action: 's3:GetObject'
Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
CloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
CachedMethods:
- GET
- HEAD
- OPTIONS
Compress: true
DefaultTTL: 3600
ForwardedValues:
Cookies:
Forward: none
QueryString: false
MaxTTL: 86400
MinTTL: 60
TargetOriginId: s3origin
ViewerProtocolPolicy: 'redirect-to-https'
DefaultRootObject: 'index.html'
Enabled: true
HttpVersion: http2
Origins:
- DomainName: !GetAtt 'S3Bucket.DomainName'
Id: s3origin
S3OriginConfig:
OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CloudFrontOriginIdentity}'
在 S3 中,我得到了 index.html,里面只有 Hello。
创建的存储桶策略
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity xxxxxxxxxxxx"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mystack-s3bucket-xxxxxxxxxxx/*"
}
]
}
【问题讨论】:
-
你能发布CFn创建的桶策略吗?
-
@jellycsc 添加
标签: amazon-web-services amazon-cloudformation amazon-cloudfront