Restrict S3 bucket access to cloudfront via AOID

ks888 / LambStatus

[Maintenance mode] Serverless Status Page System

https://lambstatus.github.io

Apache License 2.0

1.3k stars 119 forks source link

Restrict S3 bucket access to cloudfront via AOID #124

Closed mijdavis2 closed 6 years ago

mijdavis2 commented 6 years ago

Fixes #115

Restricts the S3 policy to only allow from a cloudfront access origin ID. Currently uses the same origin for status page and admin page - not sure if there's ramifications to that, but I assume you can't hop to a different bucket from a cloudfront distro.

Borrowed the property snippet from https://gist.github.com/matalo33/fc2a9d8698c069e134b4b0b6640f0c84

mijdavis2 commented 6 years ago

Doh! Didn't see #119 - though it does look like it's using WAF/ACL as opposed to cloudfront access origin ID. This might be another viable solution and arguably simpler. Then you can use WAF to also lock down the cloudfront distro via ACL on top of this.

ks888 commented 6 years ago

I have some free time today so I've implemented it by myself. So let me close this PR. Thank you again for your contribution.