I'm using CloudFront with an Amazon S3 origin. Why am I not able to access my files?

3 minute read

I'm using an Amazon Simple Storage Service (Amazon S3) bucket as the origin of my Amazon CloudFront distribution but I’m not able to access or download files in my S3 bucket. How can I troubleshoot this issue?


Troubleshoot 403 Access Denied errors

If CloudFront returns 403 Access Denied errors, then see the following guides based on your use case:

Check your CloudFront geographic restrictions

If your distribution is using geographic restrictions, verify that you’re not restricting the countries that your requests are originating from.

For more information see Restricting the geographic distribution of your content.

Verify that you’re not enforcing HTTPS with an S3 website endpoints

Amazon S3 website endpoints don't support HTTPS. If you configured a CloudFront distribution with the CLI, API, or SDK, verify that you aren’t enforcing HTTPS with your S3 website endpoint origin.

To check if you’re using HTTPS, use the GetDistributionConfig API or get-distribution-config CLI command to get the distribution configuration. If the OriginProtocolPolicy is set to https-only, then modify the OriginProtocolPolicy to use http-only.

To use HTTPS, use CloudFront with a S3 REST API endpoint origin. For more information, see How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?

Confirm that your S3 objects are under 30 GB

The maximum allowed file size for HTTP GET, POST, and PUT requests is 30 GB. If a file is larger than 30 GB, you receive a 400 "BadRequest" error.

For more information, see General quotas on distributions.

Check for special characters in S3 object key names

If you're using special characters in your S3 object key name, they might require special handling. For more information, see Object key naming guidelines.

Confirm that you're not using default root objects from a subdirectory

A CloudFront distribution doesn’t return default root objects from a subdirectory, even if the object is configured in your distribution. For more information, see Specifying a default root object.

As a workaround, you can use Lambda@Edge to return the default root object from a subdirectory. For more information, see Implementing default directory indexes in Amazon S3-backed Amazon CloudFront origins using Lambda@Edge.

Confirm that you're not using host headers with an S3 origin

For Amazon S3 origins, caching based on the Host header or forwarding the Host header isn't supported. For more information, see Selecting the headers to base caching on.

Troubleshoot the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error

See the resolution steps in How do I resolve the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront?

Related information

Troubleshooting error responses from your origin

AWS OFFICIALUpdated 2 years ago