我想创建 AWS S3 策略。我希望 AWS S3 不公开,并且仅通过我的 cloudFront 发行版进行访问。我阅读了所有文档,但没有找到 yaml 示例。
我尝试了此操作,但出现错误(策略无效):
BucketPolicy:
Type: "AWS::S3::BucketPolicy"
DependsOn: S3BucketFront
Properties:
Bucket: !Ref S3BucketFront
PolicyDocument:
Id: WebFrontBuildBucketPolicy
Version: 2012-10-17
Statement:
- Sid: AllowCloudFrontServicePrincipal
Effect: Allow
Principal:
Service:
- cloudfront.amazonaws.com
Action:
- s3:GetObject
Resource: "arn:aws:s3:::${AWS::AccountId}-${AWS::StackName}/*"
Condition:
StringEquals:
"AWS:SourceArn": "arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontdistribution}"
你应该使用
!SubResource: !Sub "arn:aws:s3:::${AWS::AccountId}-${AWS::StackName}/*"
其他使用 CFN 变量的地方也一样。