Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

CloudFront Distribution S3 AccessDenied

0

I created a CloudFront distribution and an AWS certificate, then connected an S3 Bucket.gz file that serves as an application container; however, when I tried to access the application, it threw an exception. AccessDenied

<Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>Q6J6B3V91X81WF49</RequestId> <HostId>fdghjgklj;lkjhgsrhtjykkfkykyrkykkkktkdkjdjthherthwr3rw3/HostId> </Error>
Themen
SpeicherVernetzung & Bereitstellung von Inhalten
Tags
Amazon S3-GlacierAmazon CloudFront
Sprache
English
Suthakar
gefragt vor 9 Monaten306 Aufrufe
3 Antworten
0

Hello.
Do you mean using S3 as the CloudFront origin?
In such cases, a possible cause of access denial is that the S3 bucket policy is not set correctly.
Try updating the bucket policy by setting the OAC described in the following document.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
The bucket policy allowing reads is as follows.

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::<S3 bucket name>/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
            }
        }
    }
}

Also, if S3 is encrypted with KMS, the KMS key policy must be updated.

{
    "Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<AWS account ID>:root",
        "Service": "cloudfront.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*",
    "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
            }
        }
}
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 9 Monaten
profile pictureAWS
EXPERTE
Didier_Durand
überprüft vor 9 Monaten
  • Riku_Kobayashi EXPERTE
    vor 9 Monaten

    How do you access S3 from ECS? Also, since the object is ".gz", does that mean it is a gzip compressed file? How do you set up your S3 bucket policy?

  • Guillaume
    vor 5 Monaten

    Hello,

    I am having a problem with my CloudFront as I'm also getting a AccessDenied.

    I have setup everything like you said following the documentation here https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html But I am still getting an error

    <Error>
<Code>AccessDenied</Code>
<Message>
User: arn:aws:sts::856369053181:assumed-role/OriginAccessControlRole/OriginAccessSession is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access
</Message>
<RequestId>xxxxxxx</RequestId>
<HostId>
xxxxxxxx
</HostId>
</Error>

    I think this is because my KMS key is not in the same account as my CloudFront distribution. Is it possible ?

0

Thank you for your response

I can access.jpg and.html files, but not.gz image file, which are application image file. referring to ECS

Suthakar
beantwortet vor 9 Monaten
0

Enter image description here

Enter image description here

Suthakar
beantwortet vor 9 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt