@@ -43,12 +43,14 @@ Resources:
4343 PolicyDocument :
4444 Version : ' 2012-10-17'
4545 Statement :
46- - Action :
47- - s3:GetObject
46+ - Action : s3:GetObject
47+ Principal :
48+ Service : ' cloudfront.amazonaws.com'
4849 Effect : Allow
4950 Resource : !Sub '${S3BucketRootArn}/*'
50- Principal :
51- CanonicalUser : !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
51+ Condition :
52+ StringEquals :
53+ ' AWS:SourceArn ' !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}'
5254
5355 CloudFrontDistribution :
5456 Type : AWS::CloudFront::Distribution
@@ -86,8 +88,8 @@ Resources:
8688 Origins :
8789 - DomainName : !Ref 'S3BucketRootName'
8890 Id : !Sub 'S3-${AWS::StackName}-root'
89- S3OriginConfig :
90- OriginAccessIdentity : !Sub 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'
91+ OriginAccessControlId : !Ref OriginAccessControl
92+ S3OriginConfig : {}
9193 PriceClass : ' PriceClass_All'
9294 ViewerCertificate :
9395 AcmCertificateArn : !Ref 'CertificateArn'
@@ -97,11 +99,14 @@ Resources:
9799 - Key : Solution
98100 Value : ACFS3
99101
100- CloudFrontOriginAccessIdentity :
101- Type : AWS::CloudFront::CloudFrontOriginAccessIdentity
102+ OriginAccessControl :
103+ Type : AWS::CloudFront::OriginAccessControl
102104 Properties :
103- CloudFrontOriginAccessIdentityConfig :
104- Comment : !Sub 'CloudFront OAI for ${SubDomain}.${DomainName}'
105+ OriginAccessControlConfig :
106+ Name : !Sub 'oac-${AWS::StackName}-${AWS::Region}'
107+ OriginAccessControlOriginType : s3
108+ SigningBehavior : always
109+ SigningProtocol : sigv4
105110
106111 Route53RecordSetGroup :
107112 Type : AWS::Route53::RecordSetGroup
0 commit comments