Configuring AWS IAM Policy for S3 Bucket and CloudFront

Here’s an IAM policy you can use to grant a specific user or group rights to an individual S3 bucket and CloudFront. Unfortunately, CloudFront can’t be restricted by resource (such as distribution ID) so you have to grant access to all resources, but you can give rights to just one S3 bucket.

Initially, I ran into trouble setting up this policy because I only granted rights to “bucketname” and not “bucketname/*” as you can see below.

I encountered this on the path to setting up AWS hosting w/ S3 and CloudFront for a static website.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
          "arn:aws:s3:::mybucketname",
          "arn:aws:s3:::mybucketname/*"]
    },
    {
      "Effect": "Allow",
      "Action": "cloudfront:*",
      "Resource": "*"
    }
  ]
}

“ARN” is the Amazon Resource Name. The general formats are the following:

  • arn:aws:service:region:account:resource
  • arn:aws:service:region:account:resourcetype/resource
  • arn:aws:service:region:account:resourcetype:resource

In the case of S3 resources, the format is “arn:aws:s3:::mybucketname” and “arn:aws:s3:::mybucketname/object”.