Cross-account S3 Origin Setup

It is possible to setup cross account S3 Bucket for CloudFront

Let's take a look of the solution first.

Master account - This is where you created your CDN

Sub-account - This is where you have the S3

Sub-account

You will need to setup s3 bucket policy to allow OAI access from the Master account

S3 bucket policy looks like below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI ID>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket-name-of-the-sub-account>/*"
        }
    ]
}

Master Account

Create a S3 Origin using the S3 endpoint

Format:

<bucket-name-from-the-sub-account>.s3.<aws-region>.amazonaws.com

abc is the bucket name from the sub-account

Select the Origin access identity from the Master account.

Last but not least, Create a path pattern that suit your s3 origin behaviour if you have multiple origins

Top comments (0)

Best API Mocking Platforms in 2024

Ninja SDE - Nov 13

🌟 Starting My AI Journey with AI Law Shield 🚀🛡️

0x2e73 - Nov 13

Using GenAI to Tackle Complex Prisma Model Migrations

Roman Tsegelskyi - Nov 13

✅What is the difference between fetch and XMLHTTPRequest?

Anthony Max - Nov 13

DEV Community