0

I have a static website hosted on S3 with cloudfront configured to it. My Main aim is to configure my site in a way that it is only accessible through a specific IP address. I have tried WAF and the website is getting cached in my browser and im able to access it from other ip address even though WAF is enabled. I have tried below policy and i do not see any change. I do not have a problem to get rid of cloudfront for this but tried disabling cloudfront and tried accessing from s3 endpoint all i got is 403 forbidden from any ip address. I don't know what iam missing here. 

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity xxxxxxxxxxxx"
            },,
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}
neuro
  • 14,948
  • 3
  • 36
  • 59
Sri Vatsav
  • 13
  • 1
  • 5
  • Possible duplicate of https://stackoverflow.com/questions/46138153/restricting-access-to-cloudfront-by-ip – Nik Mar 21 '19 at 22:20
  • WAF is the way to go here, but you might need to invalidate your files from CloudFront edge caches (note: you pay for each invalidation path over 1K per month). That said, if you're restricting the site to a single IP, why use CloudFront at all? – jarmod Mar 21 '19 at 23:17
  • Could you please clarify your requirements? Do you wish to restrict access so that only CloudFront can access the bucket? Are you wanting to put the IP restriction on CloudFront (if so, why use CloudFront?) or on the S3 bucket (so why not go via CloudFront?). Feel free to edit your question to clarify the details. – John Rotenstein Mar 22 '19 at 01:01
  • I have changed and added some details please let me know if they are good – Sri Vatsav Mar 22 '19 at 05:23
  • @jarmod The reason CloudFront is being used in my case is to be ablt to attach company SSL. We can't directly assign custom SSL to S3 but we can use it with CloudFront. Okay, WAF is one option, but I didn't quite understand the reason. In my opinion bucket policy should work as well in this case because CloudFront is attaching X-Forwarded-For Header to request. Can you please explain why CloudFront + Static Website Hosting with IP Restriction is not working? – Oguzhan Aygun Nov 08 '21 at 20:38
  • @OguzhanAygun not sure I understand your question (so please create a new, independent question, if needed) but typically you would configure the bucket policy to allow access from the relevant CloudFront OAI and you would use WAF to control access byIP to your content via CloudFront. I don't believe that you can write an S3 bucket policy with a source IP restriction that tests the x-forwarded-for header from CloudFront (I may be wrong but I don't think you can). – jarmod Nov 08 '21 at 21:41
  • @jarmod https://stackoverflow.com/q/69889316/10423024 I created a question actually, but I didn't get any clear answer, so I started sniffing around and found this thread. You can see my exact question in that link. Thank you very much. – Oguzhan Aygun Nov 08 '21 at 22:05

0 Answers0