Hosting HTTPS website using S3, AMC and CloudFront


I am trying to host a website using S3, ACM, CloudFront and Route53. I am getting access denied when trying to access it. I have done the following steps based on various AWS documentations, AWS blog posts and re:Post but nothing helped. Here are the steps: 1/ Created 2 S3 buckets - and Root bucket is redirecting to www and www bucket has the index.html. 2/ Requested for AMC and added both the domains to it. Added the corresponding CNAMEs to hosted zone. Certificate is issued. 3/ created 2 cloudfront distribution one for and one for 4/ config - selected OAC for origin access, updated the bucket policy, redirect http to https, attached the certificate. 5/ Added A record for both the distribution in hosted zone. Did I miss anything?

  • I have tried making the bucket public and its object public (which is not needed in case of CloudFront) but still got the same error.
  • My S3 buckets are SSE-S3 encrypted.
  • Using Static website endpoints
  • no explicit deny bucket policy
  • Bucket and object owned by same account
3 Answers
Accepted Answer
  1. Have you added the Alternative Domain names for your domain to cloudfronts configuration?
  2. Have you added access from cloudfront to the bucket Policy?

After Discussion

Your public S3 bucket is not used in this confiuguration and can be disabled.

Update your Root object on the distro to be index.html

To perform a redirect you would need to use a Lambda@Edge as your using native S3 origin

profile picture
answered 4 months ago
profile picture
reviewed 4 months ago
  • If you could accept this answer under me.. thanks

  • Thank you very much Niharika

  1. Yes, I have added CNAME to the cloudfront distribution
  2. While creating the distribution and Origin access control settings, I copied the policy from OAC to the bucket. Here is the copy of the policy:

{ "Version": "2012-10-17", "Statement": { "Sid": "AllowCloudFrontServicePrincipalReadOnly", "Effect": "Allow", "Principal": { "Service": "" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<S3 bucket name>/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>" } } } }

answered 4 months ago

One additional information, not sure if it is helpful but thought to share. I have WAF enabled for my distribution and when I look at the 'Requests processed by AWS WAF for this distribution' I can see all the requests as 'allowed request'.

answered 4 months ago
  • I think your trying to run an Web Enabled S3 bucket behind cloud front which will not work unless you setup CF like that Did you see my latest comments? Try your cloudfront url with index.html i.e.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions