To let the policy works, the settings of blocking public access must be disable.
Least Privilege
Now I want to make the bucket only can be access from CloudFront. CloudFront support origin access identity (OAI), which can sign a credential when a request come from CloudFront to S3 REST API endpoint.
So I add the OAI permission by using CloudFront console.
This works. But the bucket is still public for everyone. I want to block the request directly access to S3 without via CloudFront.
So I enable the blocking public access configuration.
The unexpected result happens. The bucket policy is entirely blocked, it not only block the public access. I even cannot access S3 via CloudFront.
If I have a bucket that grant read permission to everyone. The bucket policy is the following.
To let the policy works, the settings of blocking public access must be disable.
Least Privilege
Now I want to make the bucket only can be access from CloudFront. CloudFront support origin access identity (OAI), which can sign a credential when a request come from CloudFront to S3 REST API endpoint.
So I add the OAI permission by using CloudFront console.
This works. But the bucket is still public for everyone. I want to block the request directly access to S3 without via CloudFront.
So I enable the blocking public access configuration.
The unexpected result happens. The bucket policy is entirely blocked, it not only block the public access. I even cannot access S3 via CloudFront.