Open JonathanAlbarran opened 4 days ago
{ "Version": "2012-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH1HDMB1FH2TC" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" } ] }
Existing documentation URL(s)
-https://developers.cloudflare.com/support/third-party-software/others/configuring-an-amazon-web-services-static-site-to-use-cloudflare/ -https://github.com/cloudflare/cloudflare-docs/blob/production/src/content/docs/support/third-party-software/others/configuring-an-amazon-web-services-static-site-to-use-cloudflare.mdx
What changes are you suggesting?
I propose updating the provided S3 bucket policy example to better align with AWS's recommended approach for similar services like CloudFront. Making it more consistent with AWS best practices and easier for users to implement correctly.
Current Cloudflare Documentation
AWS Recommendation for Similar Use Case
AWS recommends the following structure for their CloudFront OAI:
and the following for Amazon S3 origins with CloudFront:
Proposed Update
Adapting the AWS approach for Cloudflare, an enhanced policy would look like:
This maintains a structure familiar to AWS users, and uses positive IP address matching, with AWS's "allow" rather than "deny" approach, which is more intuitive.
Additional information
No response