I don’t know what the minimum privileges are, but if you limit the plugin to a specific user and give it privileges on a specific bucket, you should be fine. I have the following for an IAM user whose sole purpose is to handle W3TC for our sites:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-prefix-w3tc-*",
"arn:aws:s3:::my-prefix-w3tc-*/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
}
]
}
Thread Starter
lbrent
(@lbrent)
Thanks. I used a policy like this. It fails the “test upload” button for me on the general settings tab, but I think it does indeed work, which it should.
Do you have any insight for Cloudfront permissions? Frankly, I am not sure how w3tc interacts with Cloudfront. What I would like to do is create my distribution on my own on set origin to my S3 bucket, but I am thinking w3tc needs to set Cloudfront behaviors. So my question is what permissions do I need to give w3tc user re Cloudfront?
Thanks again!
