How do I use my CloudFront distribution to restrict access to an Amazon S3 bucket?

Question

hello, i have already set up cloudfront ditributions accessing to public s3e buckets and now i am trying to follow the "option 1" of this post https://aws.amazon.com/it/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/ to allow the access to my s3 only from a cloudfront distribution. after having completed all the steps if i try to get any resource, for example https://d3ivmkao0hsjcl.cloudfront.net/FILE_ESERCIZI/1/Air_bike_13_MP4_1000_18MG_1000p.m3u8, i obtain this error

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>ASIA5EJGWF5XU7GEHKG2</AWSAccessKeyId>
<StringToSign>AWS4-HMAC-SHA256 20230127T103516Z 20230127/eu-central-1/s3/aws4_request b86c5fb2ebeff3ad8b3099231cf7b9619898941e67243b97eafb983c89a12349</StringToSign>
<SignatureProvided>c7c649388d0dc4a9959e84e47d15eb9ba6c547728a97d710cf5e39b86e84f412</SignatureProvided>
<StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 33 30 31 32 37 54 31 30 33 35 31 36 5a 0a 32 30 32 33 30 31 32 37 2f 65 75 2d 63 65 6e 74 72 61 6c 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 62 38 36 63 35 66 62 32 65 62 65 66 66 33 61 64 38 62 33 30 39 39 32 33 31 63 66 37 62 39 36 31 39 38 39 38 39 34 31 65 36 37 32 34 33 62 39 37 65 61 66 62 39 38 33 63 38 39 61 31 32 33 34 39</StringToSignBytes>
<CanonicalRequest>GET /FILE_ESERCIZI/1/Air_bike_13_MP4_1000_18MG_1000p.m3u8 host:d3ivmkao0hsjcl.cloudfront.net x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20230127T103516Z x-amz-security-token:IQoJb3JpZ2luX2VjEMv//////////wEaCXVzLWVhc3QtMSJIMEYCIQCys+hSN+dHpTt70PlOmbDN49btdyspVqfRxXKlXjVroAIhANz2DeVBwy4bbTCHocJn6sUCiPTU+fkNtkPdogF3CrkhKt8CCEMQABoMOTAyNTYxMTQ4NzgzIgz0l+2qmyNCySNEYC8qvAJz5zAg8pASCaElSFn4oTQjV4ceO5ueUObcbcpW7o3WTV7Ka904W7Woemw0kW3qfQ9FCuT5fG5AZrHMLNipyWKsJx7rXkv3YeoVj0LFKS5McZFrliG6TpC9p6YPfz3LteM2biURYvha6Qvq1tMThZG/Sz4qBcT7Q4LzYRuEAqY4rMAvBv0WKwZgxgZjevKlqjd9fndfs5vS7KMGZhXLwujT2XwNKt3PNMb64F5v/RGBXp6SgOngFlERdXjoXkdSqXCJWUUF7dBXHiNvWSyrFNZo5vDmfJPAy320BNfBma4IOLQZXpdKOQ51zjTVb01C6mFQHKdomWpkku981KknubBBZE5wOvn9f4SnDr+P2x/azo2Pl95YabGUqe06VL2nXvbfiHukIARyEwT+/Bco/L+spkkzQwyospGx8ANRMIvHzp4GOr4BmI4MD2vNWZnBrjUx0AQXW9ggbT7yk/59mUP3yIKXwmXcOeKR0eYSf6K1fgvyiZYKvxqVvIWKwoog5guVoQaMCBNEVJm8X3TaZcDWMfgm64s0nPrJsv1+KOBMmjg14w6o1F3gynEMCImsTNZZ84dK8BNKKw38B/8RweLHMj8r4pWfWhyUXGiDgoADIt3ma4E7vlQVNj0FmvbmIpyYgeueE+lzB2T74IzREhWUbzWuMf9EbR8JG4sw9NmbphkrQw== x-amz-source-account:374453910143 x-amz-source-arn:arn:aws:cloudfront::374453910143:distribution/E35XBYXZDKV4SS host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-source-account;x-amz-source-arn e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest>
<CanonicalRequestBytes>47 45 54 0a 2f 46 49 4c 45 5f 45 53 45 52 43 49 5a 49 2f 31 2f 41 69 72 5f 62 69 6b 65 5f 31 33 5f 4d 50 34 5f 31 30 30 30 5f 31 38 4d 47 5f 31 30 30 30 70 2e 6d 33 75 38 0a 0a 68 6f 73 74 3a 64 33 69 76 6d 6b 61 6f 30 68 73 6a 63 6c 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 33 30 31 32 37 54 31 30 33 35 31 36 5a 0a 78 2d 61 6d 7a 2d 73 65 63 75 72 69 74 79 2d 74 6f 6b 65 6e 3a 49 51 6f 4a 62 33 4a 70 5a 32 6c 75 58 32 56 6a 45 4d 76 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 77 45 61 43 58 56 7a 4c 57 56 68 63 33 51 74 4d 53 4a 49 4d 45 59 43 49 51 43 79 73 2b 68 53 4e 2b 64 48 70 54 74 37 30 50 6c 4f 6d 62 44 4e 34 39 62 74 64 79 73 70 56 71 66 52 78 58 4b 6c 58 6a 56 72 6f 41 49 68 41 4e 7a 32 44 65 56 42 77 79 34 62 62 54 43 48 6f 63 4a 6e 36 73 55 43 69 50 54 55 2b 66 6b 4e 74 6b 50 64 6f 67 46 33 43 72 6b 68 4b 74 38 43 43 45 4d 51 41 42 6f 4d 4f 54 41 79 4e 54 59 78 4d 54 51 34 4e 7a 67 7a 49 67 7a 30 6c 2b 32 71 6d 79 4e 43 79 53 4e 45 59 43 38 71 76 41 4a 7a 35 7a 41 67 38 70 41 53 43 61 45 6c 53 46 6e 34 6f 54 51 6a 56 34 63 65 4f 35 75 65 55 4f 62 63 62 63 70 57 37 6f 33 57 54 56 37 4b 61 39 30 34 57 37 57 6f 65 6d 77 30 6b 57 33 71 66 51 39 46 43 75 54 35 66 47 35 41 5a 72 48 4d 4c 4e 69 70 79 57 4b 73 4a 78 37 72 58 6b 76 33 59 65 6f 56 6a 30 4c 46 4b 53 35 4d 63 5a 46 72 6c 69 47 36 54 70 43 39 70 36 59 50 66 7a 33 4c 74 65 4d 32 62 69 55 52 59 76 68 61 36 51 76 71 31 74 4d 54 68 5a 47 2f 53 7a 34 71 42 63 54 37 51 34 4c 7a 59 52 75 45 41 71 59 34 72 4d 41 76 42 76 30 57 4b 77 5a 67 78 67 5a 6a 65 76 4b 6c 71 6a 64 39 66 6e 64 66 73 35 76 53 37 4b 4d 47 5a 68 58 4c 77 75 6a 54 32 58 77 4e 4b 74 33 50 4e 4d 62 36 34 46 35 76 2f 52 47 42 58 70 36 53 67 4f 6e 67 46 6c 45 52 64 58 6a 6f 58 6b 64 53 71 58 43 4a 57 55 55 46 37 64 42 58 48 69 4e 76 57 53 79 72 46 4e 5a 6f 35 76 44 6d 66 4a 50 41 79 33 32 30 42 4e 66 42 6d 61 34 49 4f 4c 51 5a 58 70 64 4b 4f 51 35 31 7a 6a 54 56 62 30 31 43 36 6d 46 51 48 4b 64 6f 6d 57 70 6b 6b 75 39 38 31 4b 6b 6e 75 62 42 42 5a 45 35 77 4f 76 6e 39 66 34 53 6e 44 72 2b 50 32 78 2f 61 7a 6f 32 50 6c 39 35 59 61 62 47 55 71 65 30 36 56 4c 32 6e 58 76 62 66 69 48 75 6b 49 41 52 79 45 77 54 2b 2f 42 63 6f 2f 4c 2b 73 70 6b 6b 7a 51 77 79 6f 73 70 47 78 38 41 4e 52 4d 49 76 48 7a 70 34 47 4f 72 34 42 6d 49 34 4d 44 32 76 4e 57 5a 6e 42 72 6a 55 78 30 41 51 58 57 39 67 67 62 54 37 79 6b 2f 35 39 6d 55 50 33 79 49 4b 58 77 6d 58 63 4f 65 4b 52 30 65 59 53 66 36 4b 31 66 67 76 79 69 5a 59 4b 76 78 71 56 76 49 57 4b 77 6f 6f 67 35 67 75 56 6f 51 61 4d 43 42 4e 45 56 4a 6d 38 58 33 54 61 5a 63 44 57 4d 66 67 6d 36 34 73 30 6e 50 72 4a 73 76 31 2b 4b 4f 42 4d 6d 6a 67 31 34 77 36 6f 31 46 33 67 79 6e 45 4d 43 49 6d 73 54 4e 5a 5a 38 34 64 4b 38 42 4e 4b 4b 77 33 38 42 2f 38 52 77 65 4c 48 4d 6a 38 72 34 70 57 66 57 68 79 55 58 47 69 44 67 6f 41 44 49 74 33 6d 61 34 45 37 76 6c 51 56 4e 6a 30 46 6d 76 62 6d 49 70 79 59 67 65 75 65 45 2b 6c 7a 42 32 54 37 34 49 7a 52 45 68 57 55 62 7a 57 75 4d 66 39 45 62 52 38 4a 47 34 73 77 39 4e 6d 62 70 68 6b 72 51 77 3d 3d 0a 78 2d 61 6d 7a 2d 73 6f 75 72 63 65 2d 61 63 63 6f 75 6e 74 3a 33 37 34 34 35 33 39 31 30 31 34 33 0a 78 2d 61 6d 7a 2d 73 6f 75 72 63 65 2d 61 72 6e 3a 61 72 6e 3a 61 77 73 3a 63 6c 6f 75 64 66 72 6f 6e 74 3a 3a 33 37 34 34 35 33 39 31 30 31 34 33 3a 64 69 73 74 72 69 62 75 74 69 6f 6e 2f 45 33 35 58 42 59 58 5a 44 4b 56 34 53 53 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 3b 78 2d 61 6d 7a 2d 73 65 63 75 72 69 74 79 2d 74 6f 6b 65 6e 3b 78 2d 61 6d 7a 2d 73 6f 75 72 63 65 2d 61 63 63 6f 75 6e 74 3b 78 2d 61 6d 7a 2d 73 6f 75 72 63 65 2d 61 72 6e 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35</CanonicalRequestBytes>
<RequestId>PRM1GCD8SDC238HH</RequestId>
<HostId>juMFHQDRE2n/XXxH7L8GrVb68EYF1+EMM7tVvCo9AcwmYgpSWtNAVj1QKgDW0A084ttTbKrCU2k=</HostId>
</Error>

any idea?

thanks, Roberto

Accepted Answer

What request policy do you use in your cloudfront distrobution?
Have you tested with the. "CORS-S3Origin" policy?

Answer

I was using "allviewer", hoping it was the more generic, using the one you suggested it works.

thank you very much

How do I use my CloudFront distribution to restrict access to an Amazon S3 bucket?

Relevanter Inhalt