Knowledge base

How the CDN Connects to the Bucket

When you assign a CDN Resource to a bucket, the bucket policy will be set and the bucket website will be created.

Bucket Policy

  • CDN77 accesses the storage via specific user. The username format appears as "cdn77-bucketname"
  • Here you can see the format of the bucket policy that will be set (JSON format)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam:::user/cdn77-bucketname"]
      },
      "Action": "s3:GetObject",
      "Resource": ["arn:aws:s3:::bucketname/*"]
    }
  ]
}
  • The master user has absolute control over the bucket, so it is also capable of specifying files or prefixes that shouldn't be accessible over the CDN via bucket policy feature.
    ⚠ Don't forget that with great power comes great responsibility. Changing bucket policy could break the connection between the bucket and the CDN Resource, which can lead to delivery disruption!
  • Here is an example of a bucket policy that removes access to prefix SECRET-PREFIX over CDN
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam:::user/cdn77-bucketname"]
      },
      "Action": "s3:GetObject",
      "Resource": ["arn:aws:s3:::bucketname/*"]
    },
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": ["arn:aws:iam:::user/cdn77-bucketname"]
      },
      "Action": "s3:GetObject",
      "Resource": ["arn:aws:s3:::bucketname/SECRET-PREFIX/*"]
    }
  ]
}

Bucket Website

CDN Resources use S3 website API to link to a bucket. For this to work properly, the CDN uses the Bucket Website option, which is enabled by default. Disabling this would lead to a 404 response with the error NoSuchWebsiteConfiguration, which exposes the bucket name in the error message.

Here is the Bucket Website configuration that will be set by default (XML format):

<?xml version="1.0" encoding="UTF-8"?>
<WebsiteConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <IndexDocument>
        <Suffix>index.html</Suffix>
    </IndexDocument>
</WebsiteConfiguration>

Additionally, to prevent the bucket name from being exposed in the error message, you can set up a custom error page by editing the BucketWebsiteConfiguration. This will show your custom error page instead of the default error page.

This can be achieved with API

To prevent these default errors, it is recommended to set a custom error page by editing the BucketWebsiteConfiguration. This will show your custom error document instead of the default error codes.

<?xml version="1.0" encoding="UTF-8"?>
<WebsiteConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <IndexDocument>
        <Suffix>index.html</Suffix>
    </IndexDocument>
    <ErrorDocument>
        <Suffix>error.html</Suffix>
    </ErrorDocument>
</WebsiteConfiguration>
Can’t find what you are looking for?