I have an S3 bucket that can only be accessed via a CloudFront distribution. Some users should be able to upload certain files to the S3 bucket, and other users should be able to download certain files from the S3 bucket (all via CloudFront).
I'm using pre-signed CloudFront URLs with a custom policy in my API to control the access. But, I need to specify in the policy whether the signed URL is valid for download (GET) or upload (PUT).
I had hoped there would be a key in the policy statement that would control which HTTP method the URL can be used for, but I haven't had any luck finding that. Here's an example policy statement from the documentation:
{
"Statement": [
{
"Resource": "https://d111111abcdef8.cloudfront.net/game_download.zip",
"Condition": {
"IpAddress": {
"AWS:SourceIp": "192.0.2.0/24"
},
"DateLessThan": {
"AWS:EpochTime": 1675159200
}
}
}
]
}
Does anyone know how I might specify the HTTP method in the policy? If not, I would also love other out-of-the-box ideas of how to accomplish this goal! I know it can be done when signing S3 URLs, but I would prefer to go through CloudFront since these files will be downloaded frequently.