Knowledge base

Connecting a Bucket to the CDN

When you assign a CDN Resource to a bucket, the bucket policy will be set and the bucket website will be created.

Bucket Policy

  • CDN77 accesses the storage via specific user. The username format appears as "cdn77-bucketname"
  • Here you can see the format of the bucket policy that will be set (JSON format)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam:::user/cdn77-bucketname"]
      },
      "Action": "s3:GetObject",
      "Resource": ["arn:aws:s3:::bucketname/*"]
    }
  ]
}
  • The master user has absolute control over the bucket, so it is also capable of specifying files or prefixes that shouldn't be accessible over the CDN via bucket policy feature.
    ⚠ Don't forget that with great power comes great responsibility. Changing bucket policy could break the connection between the bucket and the CDN Resource, which can lead to delivery disruption!
  • Here is an example of a bucket policy that removes access to prefix SECRET-PREFIX over CDN
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam:::user/cdn77-bucketname"]
      },
      "Action": "s3:GetObject",
      "Resource": ["arn:aws:s3:::bucketname/*"]
    },
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": ["arn:aws:iam:::user/cdn77-bucketname"]
      },
      "Action": "s3:GetObject",
      "Resource": ["arn:aws:s3:::bucketname/SECRET-PREFIX/*"]
    }
  ]
}

Bucket Website

  • CDN Resources use S3 website API to link to a bucket. For this to work properly, the bucket website option needs to be enabled on the bucket for delivery via CDN. Disabling this would lead to a 404 response with the error NoSuchWebsiteConfiguration
  • Here is the BucketWebsite configuration that will be set (XML format)
<?xml version="1.0" encoding="UTF-8"?>
<WebsiteConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <IndexDocument>
        <Suffix>index.html</Suffix>
    </IndexDocument>
</WebsiteConfiguration>

By default, names of your buckets can be publicly available! When the index document is not present in the bucket or via accessing a file that is not present on the storage/or the cdn user doesn't have a permission to view it, it will return this error containting the bucket name.

To prevent these default errors, it is recommended to set a custom error page by editing the BucketWebsiteConfiguration. This will show your custom error document instead of the default error codes.

<?xml version="1.0" encoding="UTF-8"?>
<WebsiteConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <IndexDocument>
        <Suffix>index.html</Suffix>
    </IndexDocument>
    <ErrorDocument>
        <Suffix>error.html</Suffix>
    </ErrorDocument>
</WebsiteConfiguration>
Can’t find what you are looking for?