Setup resource-based policy in S3

Grant Access to the S3 Bucket for CloudFront

In the Origins tab, expand the Origin access column. You will see a string after the final /, copy it.

Go back to S3 and open the imga-website Bucket. In the Permissions tab, under the Bucket Policy section:

If the policy was automatically created during the CloudFront setup, no further action is needed. However, if no policy exists, we will need to add one manually. Click Edit to open the policy editing interface like this:

You can use the following sample policy:

{
  "Version": "2008-10-17",
  "Id": "PolicyForCloudFrontPrivateContent",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3H1YR9ZE7FBTA"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::imga-website/*"
    }
  ]
}