Request for Help: Access Denied Error with CloudFront and S3 Bucket Policy

0

I’m encountering an Access Denied error when trying to access my static website via CloudFront, which uses an S3 bucket as the origin. Below is a detailed summary of my setup, including CloudFront, Route 53, ACM, and S3 bucket settings.

S3 Bucket Configuration

  • Static Website Hosting: Disabled.
  • Block Public Access: The S3 bucket is configured to "Block all public access."
  • Bucket Policy: I’ve copied the bucket policy generated by CloudFront’s Origin Access Control (OAC) into the S3 bucket’s policy section.
  • Object Ownership: Set to Bucket Owner Enforced.
  • ACL: Set to Default.
  • CORS: Set to Default.

CloudFront Distribution Configuration General Settings

  • Price Class: Set to "Use all edge locations."
  • Alternate Domain Name (CNAME): Set to mywebsite.com (matching the S3 bucket).
  • SSL Certificate: Using a custom SSL certificate from ACM for the domain.
  • Security Policy: Set to the recommended default setting.
  • HTTP Versions: Set to HTTP/2.
  • Default Root Object: index.html.
  • Standard Logging: Disabled.
  • IPv6: Enabled.

Origin Settings

  • Origin Domain: mywebsite.com.s3.us-east-1.amazonaws.com (S3 bucket).
  • Origin Access Control: Set to OAC, with the S3 bucket selected as the origin.
  • Origin Shield: Disabled.
  • Custom Headers: None.

CloudFront Behavior Settings

  • Path Pattern: Set to Default.
  • Origin: Set to the S3 bucket: mywebsite.com.s3.us-east-1.amazonaws.com.
  • Compress Objects Automatically: Set to Yes.
  • Viewer Protocol Policy: Set to HTTPS Only.
  • Allowed HTTP Methods: Set to GET, HEAD.
  • Restrict Viewer Access: Set to No.
  • Cache Key and Origin Request Policy: Set to CachingOptimized.
  • All other settings are left at their default values.

S3 Bucket Policy Here is the bucket policy I’ve applied to the S3 bucket (with credentials redacted):

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mywebsite.com/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/ABCDEF12345"
                }
            }
        }
    ]
}

Route 53 Configuration Hosted Zone Setup

A Record:

  • Name: Blank subdomain followed by mywebsite.com.
  • Record Type: A.
  • Alias: Set to On.
  • Route Traffic To: Alias to CloudFront distribution, with the correct CloudFront distribution selected.

CNAME Record:

  • Name: www.mywebsite.com.
  • Record Type: CNAME.
  • Value: Set to the CloudFront distribution domain name.
  • Alias: Set to No.
  • TTL: Set to 300.
  • Routing Policy: Set to Simple.

ACM (AWS Certificate Manager) Configuration

  • Certificate Domain: mywebsite.com.
  • Certificate Status: Success.
  • Certificate Type: CNAME.
  • CNAME Name: _abc1234567890abcdef.mywebsite.com.
  • CNAME Value: _def9876543210ghijkl.djqtsrsxkq.acm-validations.aws. These CNAME name and value are different from the ones I created in Route 53 for the domain.
  • Associated Resources: Set to the CloudFront distribution ARN.

Problem: Despite all configurations being set correctly, I am still getting an Access Denied error when trying to access the website via the CloudFront distribution.

Questions:

  1. Could there be a conflict between the CloudFront behavior settings, S3 bucket policy, or Route 53 configuration?
  2. Is there any issue with how the Alias record in Route 53 interacts with the CloudFront distribution?
  3. The CNAME entries under ACM and Route 53 appear different. Could that be causing any issues with validation or routing?
  4. Have I overlooked any critical settings in CloudFront, Route 53, ACM, or the S3 bucket that might be causing this error?
  5. Any help, insights, or troubleshooting steps would be greatly appreciated in resolving this Access Denied issue!

Thanks in advance!

3 Answers
1

Troubleshoot the issue using "curl" and pay attention to the errors and response headers which can point you in the right direction.

AWS
answered a month ago
  • After running the curl command, I received the following response:

    HTTP/2 403
    content-type: application/xml
    server: AmazonS3
    date: Thu, 07 Nov 2024 20:58:59 GMT
    x-cache: Error from cloudfront
    via: 1.1 489a041d823cabe2677a196c3bc58162.cloudfront.net (CloudFront)
    x-amz-cf-pop: IAD89-C1
    x-amz-cf-id: BqTPvfnTwX9UA3o-rk8sWf6MnTkf-rfT4RnzaHb4nbezuI0m_4GeJQ==

    Given the response, I would assume this is related to an S3 permissions issue. However, as mentioned in my original message, I followed the recommended best practices for configuration. Unless there is something I'm overlooking or doing incorrectly, I’m not sure what’s causing this.

1

Which URL are you trying to load when you're getting the 403 response? CloudFront will only append the default object's name, index.html in your case, to the root URL / and not to other URLs. If you try to load https://example.com/folder/, CloudFront will request the object folder/ from the S3 bucket (with the trailing slash included and without a leading slash) instead of folder/index.html, for example. If there's no object in the bucket with the key folder/, you'll get a 403 response, but https://example.com/folder/logo.png would work fine, if the object folder/logo.png (without a leading slash) exists.

If you need to append a static filename, like index.html, to URLs ending in a forward slash /, you can attach a CloudFront Function like shown in this documentation article: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_url_rewrite_single_page_apps_section.html to the viewer request event of the cache behaviour.

EXPERT
answered a month ago
  • I have tried accessing the website through different URLs:

    A record URL (e.g., website.com) CloudFront distribution domain name (e.g., c2n01zppaosal.cloudfront.net) S3 object URL directly (e.g., https://s3.amazonaws.com/website.com/index.html)

    S3 Bucket Structure: All my objects (like index.html) are directly placed in the root of the S3 bucket, not inside any folder. I do not have directories like /folder/. The objects are listed as files at the root of the S3 bucket.

0

Based on the information provided, there are a few potential issues that could be causing the Access Denied error:

  1. S3 Static Website Hosting: Since you've disabled static website hosting on your S3 bucket, you need to ensure that CloudFront is configured to use the S3 REST API endpoint, not the website endpoint. Your Origin Domain should be in the format "bucket-name.s3.amazonaws.com" instead of "bucket-name.s3.region.amazonaws.com".

  2. Default Root Object: With static website hosting disabled, CloudFront may not be able to serve the default root object (index.html) for subdirectories. You might need to implement a CloudFront function to append "index.html" to requests for directories.

  3. S3 Bucket Policy: Your bucket policy looks correct, but ensure that the AWS account ID and distribution ID in the SourceArn condition are accurate.

  4. CloudFront Cache Behavior: Verify that your cache behavior is correctly set up to forward all headers to the origin. This is important for OAC to work properly.

  5. CloudFront and S3 Region: Make sure your CloudFront distribution and S3 bucket are in the same region.

  6. ACM Certificate: The difference in CNAME records between ACM and Route 53 is normal. The ACM CNAME is for certificate validation, while the Route 53 CNAME is for domain routing.

To troubleshoot:

  1. Double-check all IDs and ARNs in your configurations.
  2. Verify that the CloudFront distribution status is "Deployed".
  3. Try accessing your content directly through the CloudFront URL (d1234abcd.cloudfront.net) to isolate any DNS issues.
  4. Check CloudFront logs and S3 server access logs for more detailed error information.
  5. Ensure that the objects in your S3 bucket have the correct permissions for CloudFront to access them.

If the issue persists, you may need to implement a CloudFront function to handle directory indexes, or consider re-enabling static website hosting on your S3 bucket if that aligns with your use case.
Sources
Troubleshooting distribution issues - Amazon CloudFront
S3/Cloudfront & OAC: Access denied when accessing path other than index site | AWS re:Post
S3OriginConfig - Amazon CloudFront

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions