Access Denied for CloudFront to S3

1

https://youtu.be/lXgfqOmzuzk?si=_d-3DvKLqPE1tK7w

I'm trying to build a 3-tier architecture for WordPress and CloudFront doesn't work, access was denied. In S3, Server-side encryption with Amazon S3 managed keys (SSE-S3) and the Bucket Key is Enabled.

2 Answers
2

Check S3 Bucket Policy:

Ensure that your S3 bucket has a bucket policy that allows access to CloudFront. Here's a sample bucket policy for S3 that allows CloudFront access: json code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::your-account-id:distribution/your-distribution-id"
        }
      }
    }
  ]
}

CloudFront Distribution Settings: Make sure that in your CloudFront distribution settings, you have configured the origin to use the S3 bucket correctly. Ensure that Origin Access Control (OAC) or Origin Access Identity (OAI) is enabled so CloudFront can access the S3 bucket. OAC is the more modern approach to secure communication between CloudFront and S3.

answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago
1
Accepted Answer

Hello.

The Access Denied error when using CloudFront with an S3 bucket usually indicates a permissions issue, either with the S3 bucket policy or the object permissions. you should follow bellow steps you can easily resolve it.

Step 1 Attach OAI to CloudFront

  • Go to CloudFront - Select Distribution - Origins.
  • Select your S3 origin - Edit.
  • Set Restrict Bucket Access to Yes and choose Create New OAI - Save.

Step 2 Update S3 Bucket Policy

  • Go to S3 - Bucket - Permissions - Bucket Policy.
  • Add this policy replace your-bucket-name and YOUR-OAI-ID.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity YOUR_OAI_ID"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    }
  ]
}

if you need more information please go through the Document.

https://repost.aws/knowledge-center/s3-website-cloudfront-error-403

https://medium.com/@linglijunmail/aws-cloudfront-s3-resolving-access-denied-6aab3f029fb1

EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions