diff --git a/amplify/backend/hosting/S3AndCloudFront/template.json b/amplify/backend/hosting/S3AndCloudFront/template.json index c8d68d8..1530ada 100644 --- a/amplify/backend/hosting/S3AndCloudFront/template.json +++ b/amplify/backend/hosting/S3AndCloudFront/template.json @@ -46,7 +46,6 @@ } ] }, - "AccessControl": "PublicRead", "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "index.html" @@ -70,17 +69,110 @@ } } }, - "BucketPolicy": { + "OriginAccessIdentity": { + "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", + "Properties": { + "CloudFrontOriginAccessIdentityConfig": { + "Comment": "CloudFrontOriginAccessIdentityConfig" + } + } + }, + "CloudFrontDistribution": { + "Type": "AWS::CloudFront::Distribution", + "DependsOn": [ + "S3Bucket", + "OriginAccessIdentity" + ], + "Properties": { + "DistributionConfig": { + "Origins": [ + { + "DomainName": { + "Fn::GetAtt": [ + "S3Bucket", + "DomainName" + ] + }, + "Id": "hostingS3Bucket", + "S3OriginConfig": { + "OriginAccessIdentity": { + "Fn::Join": [ + "", + [ + "origin-access-identity/cloudfront/", + { + "Ref": "OriginAccessIdentity" + } + ] + ] + } + } + } + ], + "Enabled": "true", + "DefaultCacheBehavior": { + "AllowedMethods": [ + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT" + ], + "TargetOriginId": "hostingS3Bucket", + "ForwardedValues": { + "QueryString": "false" + }, + "ViewerProtocolPolicy": "redirect-to-https", + "DefaultTTL": 86400, + "MaxTTL": 31536000, + "MinTTL": 60, + "Compress": true + }, + "DefaultRootObject": "index.html", + "CustomErrorResponses": [ + { + "ErrorCachingMinTTL": 300, + "ErrorCode": 400, + "ResponseCode": 200, + "ResponsePagePath": "/" + }, + { + "ErrorCachingMinTTL": 300, + "ErrorCode": 403, + "ResponseCode": 200, + "ResponsePagePath": "/" + }, + { + "ErrorCachingMinTTL": 300, + "ErrorCode": 404, + "ResponseCode": 200, + "ResponsePagePath": "/" + } + ] + } + } + }, + "PrivateBucketPolicy": { "Type": "AWS::S3::BucketPolicy", + "DependsOn": "OriginAccessIdentity", "Properties": { "PolicyDocument": { "Id": "MyPolicy", "Version": "2012-10-17", "Statement": [ { - "Sid": "PublicReadForGetBucketObjects", + "Sid": "APIReadForGetBucketObjects", "Effect": "Allow", - "Principal": "*", + "Principal": { + "CanonicalUser": { + "Fn::GetAtt": [ + "OriginAccessIdentity", + "S3CanonicalUserId" + ] + } + }, "Action": "s3:GetObject", "Resource": { "Fn::Join": [ @@ -140,6 +232,35 @@ ] }, "Description": "Name of S3 bucket to hold website content" + }, + "CloudFrontDistributionID": { + "Value": { + "Ref": "CloudFrontDistribution" + } + }, + "CloudFrontDomainName": { + "Value": { + "Fn::GetAtt": [ + "CloudFrontDistribution", + "DomainName" + ] + } + }, + "CloudFrontSecureURL": { + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Fn::GetAtt": [ + "CloudFrontDistribution", + "DomainName" + ] + } + ] + ] + } } } } \ No newline at end of file