I'm trying to give access to a specific IAM user to a particular CloudFront distribution. I've tried with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1428659042000",
"Effect": "Allow",
"Action":["cloudfront:*"],
"Resource": [ "arn:aws:cloudfront:E3J2B3GMZI73G0" ]
}
]
}
AWS-IAM Policy checker says the ARN is invalid. As per the documentation on IAM restrictions on CloudFront, AWS doesn't point any example to restrict access to specific distributions. They always refer to:
"Resource":"*"
Ideas on how to give a particular user access to a concrete CloudFront distribution?
Resource-level AWS Identity and Access Management (IAM) permissions are unfortunately not yet supported by all AWS services, and Amazon CloudFront indeed doesn't as per the overview table in AWS Services That Support IAM, which is also explicitly confirmed within CloudFront Resources:
You use an asterisk (*) as the resource when writing a policy to control access to CloudFront actions. This is because you can't use IAM to control access to specific CloudFront resources. For example, you can't give users access to a specific distribution. Permissions granted using IAM include all the resources you use with CloudFront. Because you cannot specify the resources to control access to, there are no CloudFront resource ARNs (Amazon Resource Names) for you to use in an IAM policy. [...] [emphasis mine]