How can I only allow a specific origin to access content from Cloudfront/S3 Origins when requested via iFrame?

Check if the origin returns the "Access-Control-Allow-Origin" header by running a curl command similar to the following:

curl -H "origin: example.com" -v "https://www.anything.net/video/call/System.generateId.dwr"

If the CORS policy allows the origin to return the header, the command returns a message similar to the following:

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 01 May 2018 03:06:41 GMT
Content-Type: text/html
Content-Length: 3770
Last-Modified: Thu, 16 Mar 2017 01:50:52 GMT
Connection: keep-alive
ETag: "58c9ef7c-eba"
Access-Control-Allow-Origin:
    example.com
Accept-Ranges: bytes

For each resource/page that Site B wants to make accessible to Site A, Site B should serve its pages with the response header:

Access-Control-Allow-Origin: http://siteA.com

Supposing that Site A wants to send a PUT request for /somePage, with a non-simple Content-Type value of application/json, the browser would first send a preflight request:

OPTIONS /somePage HTTP/1.1
Origin: http://siteA.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: Content-Type

Note that Access-Control-Request-Method and Access-Control-Request-Headers are added by the browser automatically; you do not need to add them. This OPTIONS preflight gets the successful response headers:

Access-Control-Allow-Origin: http://siteA.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: Content-Type

The browsers sends the actual request:

PUT /somePage HTTP/1.1
Origin: http://siteA.com
Content-Type: application/json

{ "myRequestContent": "JSON is so great" }

And the server sends back an Access-Control-Allow-Origin, just as it would for a simple request:

Access-Control-Allow-Origin: http://siteA.com

Update: I tried to combine api_gateway resource with s3_bucket_object as datasource but terraform probably do not see it. There is an information that there are no changes.

data "aws_s3_bucket_object" "open_api" {
  bucket = aws_s3_bucket.lambda_functions_bucket.bucket
  key    = "openapi-${var.current_api_version}.yaml"
}

resource "aws_api_gateway_rest_api" "default" {
  name    = "main-gateway"
  body    = data.aws_s3_bucket_object.open_api.body
  endpoint_configuration {
    types = ["REGIONAL"]
  }
}

I tried also achieve it by using template_file

data "aws_s3_bucket_object" "open_api" {
  bucket = aws_s3_bucket.lambda_functions_bucket.bucket
  key    = "openapi-${var.current_api_version}.yaml"
}

data "template_file" "open_api" {
  template = data.aws_s3_bucket_object.open_api.body
  vars     = {
    lambda_invocation_arn_user_post    = aws_lambda_function.user_post.invoke_arn
    lambda_invocation_arn_webhook_post = aws_lambda_function.webhook_post.invoke_arn
  }
}

resource "aws_api_gateway_rest_api" "default" {
  name    = "main-gateway"
  body    = data.template_file.open_api.rendered
  endpoint_configuration {
    types = ["REGIONAL"]
  }
}

But I don’t know how to configure the method presign_upload to gererate the aws s3 link with the upload id using ex_aws_s3:

defp presign_upload(entry, socket) do
  {:ok, %{"Location" => link}} =
    SomeTube.start_session(%{
      "uploadType" => "resumable",
      "x-upload-content-length" => entry.client_size
    })

  {:ok, %{uploader: "UpChunk", entrypoint: link}, socket}
end

I'm trying to set one replication rule from an AWS account to another. I have configured the AWS IAM role and the destination bucket policy, but once I want to test if the replication works, I get the replication status 'FAILED'. The destination bucket is configured to restrict access to only CloudFront using OAI. I have configured multiple statements for the bucket permission:

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity OAI_ID"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::destination/*"
        },
        {
         "Sid":"Set permissions for objects",
         "Effect":"Allow",
         "Principal":{
            "AWS":"arn:aws:iam::source-bucket-acct-ID:role/source-acct-IAM-role"
         },
         "Action":["s3:ReplicateObject", "s3:ReplicateDelete"],
         "Resource":"arn:aws:s3:::destination/*"
      },
      {
         "Sid":"Set permissions on bucket",
         "Effect":"Allow",
         "Principal":{
            "AWS":"arn:aws:iam::source-bucket-acct-ID:role/source-acct-IAM-role"
         },
         "Action":["s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning"],
         "Resource":"arn:aws:s3:::destination"
      }
    ]
}

This is my table creation:

CREATE EXTERNAL TABLE IF NOT EXISTS `test_db`.`test_data` (
  `tbl_timestamp` timestamp,
  `colmn1` string,
  `colmn2` string,
  `colmn3` string
)
ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' 
WITH SERDEPROPERTIES (
  'serialization.format' = '1'
) LOCATION 's3://input-data/test_data/'
TBLPROPERTIES ('has_encrypted_data'='false',
               'skip.header.line.count'='1');