AWS CloudFront cross-account S3 Origin Setup

This post will go through the steps of setting up a S3 origin in an AWS CloudFront distribution for a bucket created in a different AWS account. You will need access to the CloudFront distribution as well as the S3 bucket. This may be useful when your CloudFront distribution needs to access data hosted by other teams within your organization.

Steps in AWS CloudFront (account A)

1. Navigate to the CloudFront distribution in the AWS console
2. Create Origin
3. Origin Domain Name: <bucket-name>.s3.<aws-region>.amazonaws.com
4. Restrict Bucket Access: Yes
5. Origin Access Identity: Create a New Identity or Use an Existing Identity (will need the Origin Access ID later for the S3 bucket policy)
6. Grant Read Permissions on Bucket: No, I Will Update Permissions
7. Create

Steps in AWS S3 (account B)

1. Navigate to the S3 bucket named <bucket-name> in the AWS console
2. Click on Permissions tab
3. Edit Bucket Policy
4. Add the following policy

{
  "Effect": "Allow",
  "Principal": {
   "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <ORIGIN_ACCESS_ID_IN_CLOUDFRONT_STEP_5>"
  },
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::<bucket-name>/*"
}

Conclusion

After you have followed all the steps above, you can set up a behavior in the CloudFront distribution that routes requests to the S3 origin. Then, you should be able to access objects in the S3 bucket created in AWS account B through the CloudFront distribution behavior created in AWS account A.