It is possible to setup cross account S3 Bucket for CloudFront
Let's take a look of the solution first.
Master account - This is where you created your CDN
Sub-account - This is where you have the S3
Sub-account
You will need to setup s3 bucket policy to allow OAI access from the Master account
S3 bucket policy looks like below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI ID>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket-name-of-the-sub-account>/*"
}
]
}
Master Account
Create a S3 Origin using the S3 endpoint
Format:
<bucket-name-from-the-sub-account>.s3.<aws-region>.amazonaws.com
abc is the bucket name from the sub-account
Select the Origin access identity from the Master account.
Last but not least, Create a path pattern that suit your s3 origin behaviour if you have multiple origins
Top comments (0)