Cloudfront Distributions - General "The security token included in the request is invalid"
Hi, last friday, out of nowhere i got an alert "The security token included in the request is invalid". The alert showed just below Custom SSL certificate - optional in each one out of 6 distributions. I did nothing new and have no theory where this came from.
- i do not have MFA enabled and I am logged in with the root user. There is only one Identity with permission only for route 53.
- I immediately changed the root user password.
- I contacted AWS support and they told me that out of paid support they can only advise me to go through these guides
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
there is nothing inside those articles which i changed or which i can suspect
- All cloudfront distributions are connected on port 443 to the origin
- All "Viewer protocol policy" is Redirect HTTP to HTTPS
- Cache policies are Managed-CachingDisabled or Managed-CachingOptimized
- Origin request policies are Managed-AllViewer
- Protocols are HTTPS only
- I use 2 simple coudfront functions for a long time
Pls take a look at the image and if anyone has any idea what could trigger that or at least where i should dig, pls give me a hint.
- Newest
- Most votes
- Most comments
Hello.
Is the IAM user performing that operation?
If you are operating as an IAM user, there is a possibility that the policy is insufficient.
Furthermore, even if you are using the root user, such an error may occur if operations are restricted by Organizations SCP, etc.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Hi, bgbs. Do you use IaC for provisioning certificates and provisioning of CloudFront like Terraform or Cloudfromation?
No, Cloudfront Distributiuons are manually provisioned via the admin panel with the root user. I have 1 IAM user with permission AmazonRoute53FullAccess which i use to issue Let's Encrypt SSL with 3rd party service, where i add the Access key and Secret of this IAM user. That Access Key was created 55 days ago.
Thanks for your answer. Could you please confirm that the certificate is still valid and not expired?
The error shows in all distributions i have, and even when i start creating a new distribution, before even deploying it All SSL certificates are valid. Expiring at the end of next year.
This is clearly a bug but Amazon don't appear to have a feedback page. I worked around it using help from this page Update cloudfront configuration using awscli https://stackoverflow.com/a/66960593
Relevant content
- Accepted Answerasked 6 months ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago
Hi,
No, as i explained the Root user is performing. IAM user only has AmazonRoute53FullAccess Permissions and Console Access disabled. IAM user is only used for dns-01 let's encrypt validation.