Why
The OAC Support Some Feature But OAI Don’t Support That.
-
All Amazon S3 buckets in all AWS Regions, including opt-in Regions launched after December 2022
-
S3 SSE-KMS (Server Side Encrypted With AWS KMS)
-
Dynamic Requests( POST, PUT, etc.) To S3
How To
Step 1 : Change S3 Bucket Policy (Or Add New Policy)
Change Old Policy To New Policy, Or You Can Add All Policy Before You Change CloudFront Setting.
Old Bucket Policy (OAI) Read Only
{
"Sid": "AllowLegacyOAIReadOnly",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH1HDMB1FH2TC"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
}
]
}
New Bucket Policy (OAC) Read Only
{
"Sid": "AllowCloudFrontServicePrincipalReadOnly",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE"
}
}
}
Step 2 : Change CloudFront Origin Access Setting
Change CloudFront Setting From Legacy access Identities
To Origin access control settings
Legacy Access Identities
Origin Access Control Settings
Step 3 : Add KMS Policy If You Need(Options)
{
"Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root",
"Service": "cloudfront.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE"
}
}
}