S3 bucket website with cloudFront, even if i use cloudfront origin object and give it a get access via bucket policy .I still need to give read access to everyone in object acl to view images in the website?
2 Answers
No. You just need to use the appropriate bucket policy. No need to apply object level ACLs.
Kaushik,
following is a sample bucket policy applied to one of my static Web sites running on S3. I double checked, and verified that there are no object level ACLs assigned to any of the resources in the Web site. If you think through it, this would apply to all objects in the Web site, including the html files and not just the images. Since you’ve mentioned that only the images are not being displayed (implying the html files are being displayed) I’m inclined to think there must be some other issue with either your bucket policy or the code in your html files.
(I’ve Redacted a portion of the the Origin Access Identity, as well as the Web site domain in the Resource line)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudFront-Origin-Access-Identity",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXXXXXXXR5HV"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mysamplesite.com/*"
}
]
}Any chance you’re missing the /* in the Resource line of your bucket policy or something like that?
Hi Tom, thanks for looking into it. i didnt miss the "/*" mark here
here is my bucket policy
{ "Version": "2012-10-17", "Id": "Policy1567789408944", "Statement": [ { "Sid": "Stmt1567789407163", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EExxxxxxxx2S" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::sample-de/*" } ] }
my html is just a simple one with img tag
some stringsome string:
Some string
some string
some string
some string
Is it cos of the img src i am using https?
It could be – did you enable the HTTP to HTTPS feature in your CloudFront Distribution, and add a Certificate? Easier yet, just modify your HTML to use relative paths to the images. i.e. Instead of using , use 
. This will likely take care of it. You should still experiment with using Certificate Manager and adding the Certificate to your distribution – good practice.
Hi Tom, yes i did i do use a certificate from ACM
wow..you are right ..if i use the relative path , i dont have to give the objects read all rights to everyone
Awesome. Nice job sticking with it and experimenting.
Did you also use a custom domain and create zone records for it in Route 53? If so, what was the domain you used previously in the HTML code – was it the domain, or the URL to the S3 bucket? That would be the other reason you had to enable ACLs for the objects, if you hard-coded the path to the bucket instead of the custom domain.
yes i did , i created the custom domain & created zone records. it was url to the s3 bucket.
So, you can try to modify your code again if you like, but use the custom domain instead of the S3 bucket URL. e.g. https://mydomain.com/object1.jpg. That should also work.
But, it’s more efficient I think to use the relative path.
Yes, Tom, Thanks for all the help
Hi Gents, even when Cloudfront is set up and object is accessible over Cloudfront url, if I go to s3 bucket and access the object using s3 bucket url, should it be accessible? I have created the Cloudfront distrubution half an hour ago, but both cloudfront url and s3 url based object is still accessible. Did not restrict the s3 url access. Or do I need to wait for 48 hours to see this happen? Appreciate some tips here. Thanks.
Unfortunately if i just use the bucket policy the images in the website is not visible but if i make the image object with acl ( read all) , it solves the issue
Then there is something else that is causing this. I assure you there’s no need apply object level ACLs with read all to Everyone in order to have content displayed from S3 through CloudFormation. Have production Web sites running using this model. Can you post the bucket policy you’ve applied?