19

I'm using S3 bucket to store files and CloudFront to distribute them. I have a tool that handles synchronization automatically and it works great.

However, I want to be able to also create CloudFront invalidations programmatically. What statement do I need to add to the tool's policy in order to allow creating invalidation only for this specific distribution?

Right now, I have this statement:

{
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateInvalidation"
    ],
    "Resource": "*"
}

But, as you can see, it allows to create invalidations for any distribution in account.

I've tried to use these values for Resource property, but for some reason the tool gave me an error, saying that access is denied:

  • arn:aws:cloudfront::12345678:distribution/ABCDEFG
  • arn:aws:cloudfront:::distribution/ABCDEFG

What do I need to specify in Resource property in order to allow creation of invalidation only for the specific distribution?

Its ARN is arn:aws:cloudfront::12345678:distribution/ABCDEFG for example.

danronmoon
  • 3,814
  • 5
  • 34
  • 56
Slava Fomin II
  • 26,865
  • 29
  • 124
  • 202

2 Answers2

29

Update: As of 2021, the cloudfront:CreateInvalidation action supports resource-level permissions and can be used to allow invalidating only a specific distribution. See @GraphicalDot's answer below. Original answer — as of 2017 — below.

The cloudfront:CreateInvalidation command does not support resource-level permissions. For this reason, only * is supported. Thus, it is not possible to restrict a user/role to only be able to invalidate a specific distribution.

Source: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html

Jonathan Thornton
  • 517
  • 3
  • 11
Matt Houser
  • 33,983
  • 6
  • 70
  • 88
  • Thanks. This explains why it's not working. I was looking for such a table, but wasn't been able to find one or interpret the value myself. – Slava Fomin II Jun 05 '17 at 20:45
  • This saved hours. Thanks! – nisanth074 Jul 24 '17 at 14:53
  • having the same issue, but I still believe it is possible to restrict distribution where role has permission to invalidate a cache. please kindly check this tutorial https://blog.zoph.me/cloud/Jekyll-Pipeline-CBCD/ – Stanislau Baranouski Jan 15 '19 at 16:30
  • 1
    Hmm. seems like @matt-houser is right. Role settings UI has following warning: "The actions in your policy do not support resource-level permissions and require you to choose All resources". Action in my settings is "cloudfront:CreateInvalidation" – Stanislau Baranouski Jan 15 '19 at 16:39
  • 1
    This is not the case anymore. It is actually possible to set the rights on resource level now! See the answer below by @GraphicalDot. – Kevin Van Ryckegem Aug 02 '21 at 14:12
21

Now CloudFront supports distribution level permissions with IAM policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "cloudfront:UpdateDistribution",
                "cloudfront:DeleteDistribution",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": "arn:aws:cloudfront::<account_id>:distribution/<distribution_id>"
        }
    ]
}

More details here: https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/access-control-overview.html

tanguy_k
  • 11,307
  • 6
  • 54
  • 58
GraphicalDot
  • 2,644
  • 2
  • 28
  • 43