Cloud Front Access Denied while try to access application (.gz files)

Question

I saved my application files in.gz format in a subfolder of my S3 bucket, however when I tried to access them from cloud front, I received an Access Denied error.

Bucket Policy has already been added.

{ "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<<S3 Bucket>>/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::56723652868056:distribution/<<Distribution ID>>" } } } ] }

I've already included origin and behaviour in my distribution.

Answer

Can you make sure that S3 bucket is not SSE-KMS CMK encrypted.

Did you take a look at this [blog post](https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/). This explains step by step process for how to "Enable SSE-KMS for CloudFront OAC".

Refer **Enable SSE-KMS for CloudFront OAC** section in above mentioned blog post, which explains how to update the KMS key policy for cloudfront distribution.

Check S3 bucket properties to find which KMS key is being used.

1) Make sure you update the KMS key policy used in S3 encryption to allow the CloudFront service principal arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity to call kms:Decrypt on the key.
2) KMS Key and S3 bucket are in same region

Hope this helps.

Comment here if you have additional questions, happy to help.

Abhishek

Cloud Front Access Denied while try to access application (.gz files)

相關內容