AWS CloudFront access denied to S3 bucket

Question

I am trying to setup CloudFront to serve static files hosted in my S3 bucket. I have setup distribution but I get AccessDenied when trying

Answer 1

In my case I was using multiple origins with "Path Pattern" Behaviors along with an Origin Path in my S3 bucket:

Bad setup:

CloudFront Behavior: /images/* -> My-S3-origin

My-S3-origin: Origin Path: /images

S3 files: /images/my-image.jpg

GET Request: /images/my-image.jpg -> 403

What was happening was the entire CloudFront GET request gets sent to the origin: /image/my-image.jpg prefixed by Origin Path: /images, so the request into S3 looks like /images/images/my-image.jpg which doesn't exist.

Solution

remove Origin Path.

Answer 2

This can happen if you are using a bucket that has just been newly created.

According official reply here: AWS Forun link, you have to wait for a couple of hours after creating a new bucket before you can have cloud front distribution working on it correctly.

Solution is to temporarily work from one of your old buckets and switch to the new bucket a couple of hours later.

Answer 3

To assist with your question, I recreated the situation via:

• Created an Amazon S3 bucket with no Bucket Policy
• Uploaded public.jpg and make it public via "Make Public"
• Uploaded private.jpg and kept it private
• Created an Amazon CloudFront web distribution:
  • Origin Domain Name: Selected my S3 bucket from the list
  • Restrict Bucket Access: Yes
  • Origin Access Identity: Create a New Identity
  • Grant Read Permissions on Bucket: Yes, Update Bucket Policy

I checked the bucket, and CloudFront had added a Bucket Policy similar to yours.

The distribution was marked as In Progress for a while. Once it said Enabled, I accessed the files via the xxx.cloudfront.net URL:

• xxx.cloudfront.net/public.jpg redirected me to the S3 URL http://bucketname.s3.amazonaws.com/public.jpg. Yes, I could see the file, but it should not use a redirect.
• xxx.cloudfront.net/private.jpg redirected me also, but I then received Access Denied because it is a private file in S3.

I then did some research and found that this is quite a common occurrence. Some people use a workaround by pointing their CloudFront distribution to the static hosted website URL, but this has the disadvantage that it will not work with the Origin Access Identity and I also suspect it won't receive the 'free S3 traffic to the edge' discount.

So, I waited overnight, tested it this morning and everything is working fine.

Bottom line: Even if it says ENABLED, things might take several hours (eg overnight) to get themselves right. It will then work as documented.

Answer 4

I added 'index.html' in Default Root Object under General tab of cloudFront 'Distribution Settings' and it worked for me. As index.html was the root file for my project!

Answer 5

I also got 403 from CloudFront but my issue was a bit different so sharing it here as it might help others.

Make sure the Origin Access Id you've defined as part of the bucket policy is the right one:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity HERE_GOES_YOUR_ORIGIN_ACCESS_ID"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::deepen-frontend-prod/*"
        }
    ]
}

An Origin Access Identity Id roughly looks like E19F48VV5H01ZD.

You can find all of your origin access identities on https://console.aws.amazon.com/cloudfront/home#oai Look for the one you're using in your CloudFront config under Your Identities:

Answer 6

Instead of choosing default s3 bucket for Origin Domain Name, please enter the <bucket-name>.s3-website.<region>.amazonaws.com as origin Domain Name(You can get this URL at Static website hosting property under S3 bucket properties).