j-un/cloudfront-s3-using-OAI.cfn.yml

## cloudfront-s3-using-OAI.cfn.yml
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFront Distribution with a S3 Origin (ristrict direct access to S3 using OAI)
Parameters:
 CustomDomain:
   Type: String
   Description: Domain name of your website.
 CertificateARN:
   Type: String
   Description: SSL Certificate ARN. SSL Certificate must be in us-east-1 region.
Resources:
 ContentsBucket:
   Type: 'AWS::S3::Bucket'
   DeletionPolicy: Retain
 ContentsBucketPolicy:
   Type: 'AWS::S3::BucketPolicy'
   Properties:
     Bucket: !Ref ContentsBucket
     PolicyDocument:
       Statement:
         - Action: 's3:GetObject'
           Effect: Allow
           Resource: !Sub 'arn:aws:s3:::${ContentsBucket}/*'
           Principal:
             AWS: !Sub >-
               arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity
               ${CloudFrontOriginAccessIdentity}
 ContentsDistribution:
   Type: 'AWS::CloudFront::Distribution'
   Properties:
     DistributionConfig:
       Aliases:
         - !Ref CustomDomain
       Origins:
         - Id: S3Origin
           DomainName: !GetAtt ContentsBucket.DomainName
           S3OriginConfig:
             OriginAccessIdentity: !Sub >-
               origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
       Enabled: true
       DefaultRootObject: index.html
       Comment: !Sub '${AWS::StackName} distribution'
       DefaultCacheBehavior:
         TargetOriginId: S3Origin
         ForwardedValues:
           QueryString: false
         ViewerProtocolPolicy: redirect-to-https
       ViewerCertificate:
         SslSupportMethod: sni-only
         MinimumProtocolVersion: TLSv1
         AcmCertificateArn: !Ref CertificateARN
 CloudFrontOriginAccessIdentity:
   Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
   Properties:
     CloudFrontOriginAccessIdentityConfig:
       Comment: !Ref 'AWS::StackName'
	AWSTemplateFormatVersion: 2010-09-09
	Description: CloudFront Distribution with a S3 Origin (ristrict direct access to S3 using OAI)
	Parameters:
	CustomDomain:
	Type: String
	Description: Domain name of your website.
	CertificateARN:
	Type: String
	Description: SSL Certificate ARN. SSL Certificate must be in us-east-1 region.
	Resources:
	ContentsBucket:
	Type: 'AWS::S3::Bucket'
	DeletionPolicy: Retain
	ContentsBucketPolicy:
	Type: 'AWS::S3::BucketPolicy'
	Properties:
	Bucket: !Ref ContentsBucket
	PolicyDocument:
	Statement:
	- Action: 's3:GetObject'
	Effect: Allow
	Resource: !Sub 'arn:aws:s3:::${ContentsBucket}/*'
	Principal:
	AWS: !Sub >-
	arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity
	${CloudFrontOriginAccessIdentity}
	ContentsDistribution:
	Type: 'AWS::CloudFront::Distribution'
	Properties:
	DistributionConfig:
	Aliases:
	- !Ref CustomDomain
	Origins:
	- Id: S3Origin
	DomainName: !GetAtt ContentsBucket.DomainName
	S3OriginConfig:
	OriginAccessIdentity: !Sub >-
	origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
	Enabled: true
	DefaultRootObject: index.html
	Comment: !Sub '${AWS::StackName} distribution'
	DefaultCacheBehavior:
	TargetOriginId: S3Origin
	ForwardedValues:
	QueryString: false
	ViewerProtocolPolicy: redirect-to-https
	ViewerCertificate:
	SslSupportMethod: sni-only
	MinimumProtocolVersion: TLSv1
	AcmCertificateArn: !Ref CertificateARN
	CloudFrontOriginAccessIdentity:
	Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
	Properties:
	CloudFrontOriginAccessIdentityConfig:
	Comment: !Ref 'AWS::StackName'