IAM Policies do not allow restriction of access to specific CloudFront distributions. The solution is to use a wildcard for the resource, instead of only referencing a specific CloudFront resource. Adding that to your IAM policy will fix the issue you're having.
Here is an example of that in a working IAM policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation",
"cloudfront:GetInvalidation",
"cloudfront:ListInvalidations"
],
"Resource": "*"
}
]
}
Docs:
I couldn't find how to associate a VPC to a Route53 hosted zone, so I've added to the user_data script the following code:
aws route53 get-hosted-zone --id XXXAAA12345 | grep -q $vpcid
if [[ ! $? -eq 0 ]]; then
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id XXXAAA12345 --vpc VPCRegion=us-west-2,VPCId=$vpcid
else
echo "VPC $vpcid is already associated to hosted zone company-private"
fi
vpcid variable is inherited from the CloudFormation template:
{ "Fn::Join": [ "=", [ "vpcid", { "Ref": "VPC" } ] ] },
Then, I realized that when a VPC is deleted, it's association to the Route53 hosted zone remains.
In order to make sure that old associations are removed, I've added the following code to the user_data script:
defaultvpc="vpc-20AAAA4b"
vpc_array=()
for vpc in $(aws route53 get-hosted-zone --id XXXAAA12345 | grep vpc | awk '{print $2}' | tr -d '\"|,'); do
vpc_array+=($vpc)
done
for i in ${!vpc_array[@]}; do
if [[ ! ${vpc_array[$i]} = $vpcid && ! ${vpc_array[$i]} = $defaultvpc ]] ; then
echo "VPC ${vpc_array[$i]} doesnt exist anymore - removing association to Route53 hosted zone"
aws route53 disassociate-vpc-from-hosted-zone --hosted-zone-id XXXAAA12345 --vpc VPCRegion=us-west-2,VPCId=${vpc_array[$i]}
fi
done
Best Answer
here's what finally worked for me, using the AWS CLI. I'm aware there are other dependencies besides subnets, but this is a start:
OK, so that didn't work on all of mine. here's another one: