Cloudfront Distributions - General "The security token included in the request is invalid"

0

Hi, last friday, out of nowhere i got an alert "The security token included in the request is invalid". The alert showed just below Custom SSL certificate - optional in each one out of 6 distributions. I did nothing new and have no theory where this came from.

  • i do not have MFA enabled and I am logged in with the root user. There is only one Identity with permission only for route 53.
  • I immediately changed the root user password.
  • I contacted AWS support and they told me that out of paid support they can only advise me to go through these guides

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

there is nothing inside those articles which i changed or which i can suspect

  • All cloudfront distributions are connected on port 443 to the origin
  • All "Viewer protocol policy" is Redirect HTTP to HTTPS
  • Cache policies are Managed-CachingDisabled or Managed-CachingOptimized
  • Origin request policies are Managed-AllViewer
  • Protocols are HTTPS only
  • I use 2 simple coudfront functions for a long time Pls take a look at the image and if anyone has any idea what could trigger that or at least where i should dig, pls give me a hint. The security token included in the request is invalid
4 Antworten
0

Hello.

Is the IAM user performing that operation?
If you are operating as an IAM user, there is a possibility that the policy is insufficient.
Furthermore, even if you are using the root user, such an error may occur if operations are restricted by Organizations SCP, etc.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

profile picture
EXPERTE
beantwortet vor 8 Monaten
  • Hi,

    No, as i explained the Root user is performing. IAM user only has AmazonRoute53FullAccess Permissions and Console Access disabled. IAM user is only used for dns-01 let's encrypt validation.

    • Regarding Organizations SCP: This account is NOT a member of an organization, hence it could not be restricted by Organizations SCP
    • Otherwise all works fine. I can create and edit distributions without any limitations ( at least what i have done so far) The setup is simple. Do you have any other idea what could that be?
0

Hi, bgbs. Do you use IaC for provisioning certificates and provisioning of CloudFront like Terraform or Cloudfromation?

profile picture
EXPERTE
beantwortet vor 8 Monaten
  • No, Cloudfront Distributiuons are manually provisioned via the admin panel with the root user. I have 1 IAM user with permission AmazonRoute53FullAccess which i use to issue Let's Encrypt SSL with 3rd party service, where i add the Access key and Secret of this IAM user. That Access Key was created 55 days ago.

0

Thanks for your answer. Could you please confirm that the certificate is still valid and not expired?

profile picture
EXPERTE
beantwortet vor 8 Monaten
  • The error shows in all distributions i have, and even when i start creating a new distribution, before even deploying it All SSL certificates are valid. Expiring at the end of next year.

    All SSL certificates Creating New Distribution

0

This is clearly a bug but Amazon don't appear to have a feedback page. I worked around it using help from this page Update cloudfront configuration using awscli https://stackoverflow.com/a/66960593

ct1003
beantwortet vor 8 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen