CloudFront policy to invalidate only specific distrubution


I’m using S3 bucket to store files and CloudFront to distribute them. I have a tool that handles synchronization automatically and it works great.

However, I want to be able to also create CloudFront invalidations programmatically. What statement do I need to add to the tool’s policy in order to allow creating invalidation only for this specific distribution?

Right now, I have this statement:

But, as you can see, it allows to create invalidations for any distribution in account.

I’ve tried to use these values for Resource property, but for some reason the tool gave me an error, saying that access is denied:

  • arn:aws:cloudfront::12345678:distribution/ABCDEFG
  • arn:aws:cloudfront:::distribution/ABCDEFG

What do I need to specify in Resource property in order to allow creation of invalidation only for the specific distribution?

It’s ARN is arn:aws:cloudfront::12345678:distribution/ABCDEFG for example.


The cloudfront:CreateInvalidation command does not support resource-level permissions. For this reason, only * is supported. Thus, it is not possible to restrict a user/role to only be able to invalidate a specific distribution.


Leave a Reply