DEV Community

desawsume
desawsume

Posted on

Cross-account S3 Origin Setup

It is possible to setup cross account S3 Bucket for CloudFront

Let's take a look of the solution first.

Master account - This is where you created your CDN

Sub-account - This is where you have the S3

Sub-account

You will need to setup s3 bucket policy to allow OAI access from the Master account

S3 bucket policy looks like below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI ID>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket-name-of-the-sub-account>/*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Master Account

Create a S3 Origin using the S3 endpoint

Format:

<bucket-name-from-the-sub-account>.s3.<aws-region>.amazonaws.com
Enter fullscreen mode Exit fullscreen mode

Image description

abc is the bucket name from the sub-account

Select the Origin access identity from the Master account.

Last but not least, Create a path pattern that suit your s3 origin behaviour if you have multiple origins

Top comments (0)