By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFront Distribution S3 AccessDenied

0

I created a CloudFront distribution and an AWS certificate, then connected an S3 Bucket.gz file that serves as an application container; however, when I tried to access the application, it threw an exception. AccessDenied

<Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>Q6J6B3V91X81WF49</RequestId> <HostId>fdghjgklj;lkjhgsrhtjykkfkykyrkykkkktkdkjdjthherthwr3rw3/HostId> </Error>
Topics
StorageNetworking & Content Delivery
Tags
Amazon S3 GlacierAmazon CloudFront
Language
English
Suthakar
asked 8 months ago277 views
3 Answers
0

Hello.
Do you mean using S3 as the CloudFront origin?
In such cases, a possible cause of access denial is that the S3 bucket policy is not set correctly.
Try updating the bucket policy by setting the OAC described in the following document.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
The bucket policy allowing reads is as follows.

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::<S3 bucket name>/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
            }
        }
    }
}

Also, if S3 is encrypted with KMS, the KMS key policy must be updated.

{
    "Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<AWS account ID>:root",
        "Service": "cloudfront.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*",
    "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
            }
        }
}
profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
  • Riku_Kobayashi EXPERT
    8 months ago

    How do you access S3 from ECS? Also, since the object is ".gz", does that mean it is a gzip compressed file? How do you set up your S3 bucket policy?

  • Guillaume
    4 months ago

    Hello,

    I am having a problem with my CloudFront as I'm also getting a AccessDenied.

    I have setup everything like you said following the documentation here https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html But I am still getting an error

    <Error>
<Code>AccessDenied</Code>
<Message>
User: arn:aws:sts::856369053181:assumed-role/OriginAccessControlRole/OriginAccessSession is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access
</Message>
<RequestId>xxxxxxx</RequestId>
<HostId>
xxxxxxxx
</HostId>
</Error>

    I think this is because my KMS key is not in the same account as my CloudFront distribution. Is it possible ?

0

Thank you for your response

I can access.jpg and.html files, but not.gz image file, which are application image file. referring to ECS

Suthakar
answered 8 months ago
0

Enter image description here

Enter image description here

Suthakar
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content