- Newest
- Most votes
- Most comments
Troubleshoot the issue using "curl" and pay attention to the errors and response headers which can point you in the right direction.
Which URL are you trying to load when you're getting the 403 response? CloudFront will only append the default object's name, index.html
in your case, to the root URL /
and not to other URLs. If you try to load https://example.com/folder/
, CloudFront will request the object folder/
from the S3 bucket (with the trailing slash included and without a leading slash) instead of folder/index.html
, for example. If there's no object in the bucket with the key folder/
, you'll get a 403 response, but https://example.com/folder/logo.png
would work fine, if the object folder/logo.png
(without a leading slash) exists.
If you need to append a static filename, like index.html
, to URLs ending in a forward slash /
, you can attach a CloudFront Function like shown in this documentation article: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_url_rewrite_single_page_apps_section.html to the viewer request event of the cache behaviour.
I have tried accessing the website through different URLs:
A record URL (e.g., website.com) CloudFront distribution domain name (e.g., c2n01zppaosal.cloudfront.net) S3 object URL directly (e.g., https://s3.amazonaws.com/website.com/index.html)
S3 Bucket Structure: All my objects (like index.html) are directly placed in the root of the S3 bucket, not inside any folder. I do not have directories like /folder/. The objects are listed as files at the root of the S3 bucket.
Based on the information provided, there are a few potential issues that could be causing the Access Denied error:
-
S3 Static Website Hosting: Since you've disabled static website hosting on your S3 bucket, you need to ensure that CloudFront is configured to use the S3 REST API endpoint, not the website endpoint. Your Origin Domain should be in the format "bucket-name.s3.amazonaws.com" instead of "bucket-name.s3.region.amazonaws.com".
-
Default Root Object: With static website hosting disabled, CloudFront may not be able to serve the default root object (index.html) for subdirectories. You might need to implement a CloudFront function to append "index.html" to requests for directories.
-
S3 Bucket Policy: Your bucket policy looks correct, but ensure that the AWS account ID and distribution ID in the SourceArn condition are accurate.
-
CloudFront Cache Behavior: Verify that your cache behavior is correctly set up to forward all headers to the origin. This is important for OAC to work properly.
-
CloudFront and S3 Region: Make sure your CloudFront distribution and S3 bucket are in the same region.
-
ACM Certificate: The difference in CNAME records between ACM and Route 53 is normal. The ACM CNAME is for certificate validation, while the Route 53 CNAME is for domain routing.
To troubleshoot:
- Double-check all IDs and ARNs in your configurations.
- Verify that the CloudFront distribution status is "Deployed".
- Try accessing your content directly through the CloudFront URL (d1234abcd.cloudfront.net) to isolate any DNS issues.
- Check CloudFront logs and S3 server access logs for more detailed error information.
- Ensure that the objects in your S3 bucket have the correct permissions for CloudFront to access them.
If the issue persists, you may need to implement a CloudFront function to handle directory indexes, or consider re-enabling static website hosting on your S3 bucket if that aligns with your use case.
Sources
Troubleshooting distribution issues - Amazon CloudFront
S3/Cloudfront & OAC: Access denied when accessing path other than index site | AWS re:Post
S3OriginConfig - Amazon CloudFront
Relevant content
- Accepted Answerasked 3 years ago
- Accepted Answerasked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago
After running the curl command, I received the following response:
HTTP/2 403
content-type: application/xml
server: AmazonS3
date: Thu, 07 Nov 2024 20:58:59 GMT
x-cache: Error from cloudfront
via: 1.1 489a041d823cabe2677a196c3bc58162.cloudfront.net (CloudFront)
x-amz-cf-pop: IAD89-C1
x-amz-cf-id: BqTPvfnTwX9UA3o-rk8sWf6MnTkf-rfT4RnzaHb4nbezuI0m_4GeJQ==
Given the response, I would assume this is related to an S3 permissions issue. However, as mentioned in my original message, I followed the recommended best practices for configuration. Unless there is something I'm overlooking or doing incorrectly, I’m not sure what’s causing this.