0

I'm an AWS noob setting up a hobby site using Django and Wagtail CMS. I followed this guide to connecting an S3 bucket with django-storages. I then added Cloudfront to my bucket, and everything works as expected: I'm able to upload images from Wagtail to my S3 bucket and can see that they are served through Cloudfront.

However, the guide I followed turned off Block all public access on this bucket, which I've read is bad security practice. For that reason, I would like to set up Cloudfront so that my bucket is private and my Django media files are only accessible through Cloudfront, not S3. I tried turning Block all public access back on, and adding this bucket policy:

            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-s3-bucket/*"

The problem I'm encountering is that when I have Block all public access turned on, I receive AccessDenied messages on all my files. I can still upload new images and view them as stored in my AWS console. But I get AccessDenied if I try to view them at their CloudFront or S3 URLs.

What policies do I need to fix so that I can upload to my private S3 bucket from Django, but only allow those images to be viewable through CloudFront?

Update 1 for noob confusion: Realized I don't really understand how CDNs work and am perhaps confused about caching. Hopefully my edited question is clearer.

Update 2: Here's a screenshot of my CloudFront distribution and a screenshot of origins.

Update 3 (Possible solution): I seem to have this working after making a change to my bucket policy statements. When I created the OAI, I chose Yes, update the bucket policy, which added the OAI to my-s3-bucket. That policy was appended as a second statement to the original one made following the tutorial I linked above. My entire policy looked like this:

{
    "Version": "2012-10-17",
    "Id": "Policy1620442091089",
    "Statement": [
        {
            "Sid": "Stmt1620442087873",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-s3-bucket/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-s3-bucket/*"
        }
    ]
}

I removed the original, top statement and left the new OAI CloudFront statement in place. My S3 bucket is now private and I no longer receive AccessDenied on CloudFront URLs.

Does anyone know if conflicting statements can have this effect? Or is it just a coincidence that the issue resolved after removing the original one?

user1267675
  • 41
  • 2
  • Can you show us some screenshots of your CloudFront configuration? – jellycsc Jun 13 '22 at 14:15
  • @jellycsc yes I can do that. What sections of the console would be helpful? – user1267675 Jun 13 '22 at 15:03
  • origins in the Cloudfront distribution – jellycsc Jun 13 '22 at 17:00
  • Have you configured [OAI](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html)? – jellycsc Jun 13 '22 at 19:56
  • @jellycsc well, I think I did? I thought that's what the bucket policy I pasted in my question was. Giving the CloudFront OAI read access to the bucket. – user1267675 Jun 13 '22 at 22:41
  • Does this answer your question? [AWS CloudFront access denied to S3 bucket](https://stackoverflow.com/questions/42251745/aws-cloudfront-access-denied-to-s3-bucket) – Abdul Aziz Barkat Jun 14 '22 at 04:43
  • @AbdulAzizBarkat thanks for finding that. I read through all the solutions but none of them seemed to work for me, although the symptom is almost identical. – user1267675 Jun 14 '22 at 05:27

0 Answers0