25

I'm trying to give access to a specific IAM user to a particular Cloudfront distribution. I've tried with this Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1428659042000",
            "Effect": "Allow",
            "Action":["cloudfront:*"],
            "Resource": [ "arn:aws:cloudfront:E3J2B3GMZI73G0" ]
        }
    ]
}

AWS-IAM Policy checker says the arn is invalid. As per the documentation on IAM restrictions on Cloudfront, AWS doesn't point any example to restrict access to specific Distributions. They always refer to:

"Resource":"*"

Ideas on how to give a particular user access to a concrete Cloudfront Distribution?

alexandresaiz
  • 2,678
  • 7
  • 29
  • 40

2 Answers2

31

Resource-level AWS Identity and Access Management (IAM) permissions are unfortunately not yet supported by all AWS services, and Amazon CloudFront indeed doesn't as per the overview table in AWS Services That Support IAM, which is also explicitly confirmed within CloudFront Resources:

You use an asterisk (*) as the resource when writing a policy to control access to CloudFront actions. This is because you can't use IAM to control access to specific CloudFront resources. For example, you can't give users access to a specific distribution. Permissions granted using IAM include all the resources you use with CloudFront. Because you cannot specify the resources to control access to, there are no CloudFront resource ARNs (Amazon Resource Names) for you to use in an IAM policy. [...] [emphasis mine]

Steffen Opel
  • 63,899
  • 11
  • 192
  • 211
  • Thank you! I try to limit resource, but it is not working. :( – Chu-Siang Lai Aug 08 '16 at 03:52
  • 7
    This is surprising, I hope AWS adds support for this. – Neo May 20 '18 at 16:21
  • 1
    It's a shame that AWS does not have support for this. If you get to have many distributions for multiple purposes/users it's really complex to manage all of them regarding security/permission rules. Thanks at all for your response. – Lucas Santos Feb 27 '19 at 02:29
  • Can we use tag based access restriction ? – Varun Chandak May 31 '19 at 07:42
  • @VarunChandak - not yet: While AWS is currently in the process to role out authorization based on tags across their service portfolio (i.e. quite some recently gained this ability), CloudFront is not yet supported (you can always cross-check this via the resp. tables within [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html#networking_svcs)). – Steffen Opel Jun 11 '19 at 10:41
1

Preface: This question seems to have been asked in 2015 and as I'm writing this answer it's now 2023 so quite a few years have passed, which is why I decided not to take the answer given here for granted but test for myself whether this works or not...

I'm happy to report that creating an IAM account whose access is restricted to a single CloudFront distribution is possible nowadays!

Here is the custom permission policy I just wrote and successfully tested:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:Get*"
            ],
            "Resource": "arn:aws:cloudfront::274094101538:distribution/EW8C6OEXKT4EI"
        }
    ]
}

This policy allowed me to login to the AWS web console, navigate to the CloudFront service, get a listing of available distributions, and navigate to a page with the details of one distribution (EW8C6OEXKT4EI in this case).

xolox
  • 4,888
  • 3
  • 24
  • 15