CloudFront with S3 as Origin, returns 403 "ACCESS DENIED ERROR" due to x-cache: error from cloudfront.

0

I started seeing this error since last week all of a sudden, there were no changes to s3 / cloudfront during those days. My current configuration was Cloudfront has CachingDisabled ploicy, with no origin request policy or response headers policy. This is impacting lot of our customer and there is no way to debug or stop it./

Below are the headers from cloudfront.

HTTP/2 403 
server: CloudFront
date: Mon, 25 Mar 2024 07:48:12 GMT
content-type: text/xml
content-length: 110
x-cache: Error from cloudfront
via: 1.1 d0db1065eb8a09f607de4e7482262666.cloudfront.net (CloudFront)
x-amz-cf-pop: MAA50-P1
x-amz-cf-id: pJ8lUlC6rZeNBdyR-TAh4nsjW0qapK3kzX5SVNj-Y804_cAlwbVICw==
X-Firefox-Spdy: h2
  • What is the actual response content from CloudFront? A 403 error indicates either CloudFront doesn't have permission to the S3 bucket, or the viewer hasn't presented a signed request/cookie to CloudFront where 'Restrict Viewer Access' is being used

  • This is the response from cloudfront. They have signed cookies and they were present during the request.

    <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access denied</Message></Error>
3 Answers
3
Accepted Answer

Based on your answer to the question on the comment:

They have signed cookies and they were present during the request.

I believe you're using CloudFront signed cookies [1]. Some very common scenario for getting a 403 from CloudFront while using signed cookies is due to a wrong policy, this can be usually be:

  1. The protocol or resource on the cookie policy is not right/does not match - e.g. you create a signed cookie with a policy to allow the resource: https://domain.com/myfile.jpg, however the file being requested is https://domain.com/other-file.jpg, this will cause CloudFront to not allow the request - I would recommend to check the protocol (http Vs https) and/or resource on the policy Vs the actual file being requested (myfile.jpg Vs other-file.jpg or if using wildcards folder/* Vs other-folder/*).
  2. Expiration - The expiration set on the cookie policy is now expired and so CloudFront will reject the request - Check the CloudFront-Expires= on the cookie or the DateLessThan on the policy.
  3. If other conditions are used on the cookie policy, like IPaddress, DateGreaterThan, [2] this can also cause CloudFront to reject the request if the IP set on the policy is different from the one used or if the time set to when the cookie starts to be valid have not yet arrived. This is common when you make a cookie to be valid only 1second after it was generated, but the request is still made within the same second the cookie was set.

[1] - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html

[2] - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html#private-content-custom-policy-statement-cookies-values

AWS
answered 7 months ago
profile picture
EXPERT
reviewed 4 months ago
0

So based on your answer to the comment by Paul_L, you are using signed URLs to CloudFront that you pass to an S3 origin.

If this is the case - then you need to check your CloudTrail and your S3 bucket logs and see why the credentials that your client used to generate the Signed URL is unable to access the S3 bucket.

Refer to using private content with CloudFront: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

AWS
EXPERT
answered 7 months ago
profile picture
EXPERT
reviewed 7 months ago
0

Thank you all for quick response, finally I was able to understand whats causing the problem. Yes, its the cookies but I have signed cookies different for each page, one of parents page cookies are taking precedence to the child page, so its causing the cloudfront to fail. I added stricter path for the cookies, now seems fine.

Sateesh
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions