0

I am using the following CF policy in my S3 bucket:

{
        "Version": "2008-10-17",
        "Id": "PolicyForCloudFrontPrivateContent",
        "Statement": [
            {
                "Sid": "AllowCloudFrontServicePrincipal",
                "Effect": "Allow",
                "Principal": {
                    "Service": "cloudfront.amazonaws.com"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::<mybucket>/*",
                "Condition": {
                    "StringEquals": {
                      "AWS:SourceArn": "arn:aws:cloudfront::xxxxxxxxxxx:distribution/E3KFW1xxxxxxx"
                    }
                }
            }
        ]
      }

Using Origin access control.

Error:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>WB810TMZGMYRRE6N</RequestId>
<HostId>
EU8t4ysVGXo6TpYMNhmypgBWzZ4TMnlbEgYABlF/sK2hm70octviejQocM3zx0z/Sf4cSk/1nNh2u5zK5EeYDw==
</HostId>
</Error>
Improve this question
1
  • We're going to need more if you want help. Things to look at include a tutorial on origin access identity and look in the CloudTrail logs - though CloudTrail doesn't record data events by default.
    – Tim
    Nov 14 at 7:19

1 Answer 1

Reset to default
0

Easy stuff first.

Make sure the object actually exists where you are requesting it from. This seems obvious, but if you define a "Path pattern" on the CF Behavior, make sure the object is in that same [case sensitive] path.

Double check that the distribution ARN in the policy matches the distribution you are trying to request the resource from.

Double check that the CF Origin in the CF Distribution is configured to use Origin Access Control (OAC).

Make sure the CF behavior (possibly the default) has the correct origin selected. If you are using an origin group with multiple S3 buckets, make sure the appropriate access policy is applied to all buckets.

If the object in the S3 bucket is not owned by the bucket, the bucket policy may not apply to the object. Newly created buckets default to ACLs disabled, but older buckets may still allow non-bucket owners to own an object within a bucket. If that is the case and you cannot disable ACLs, you will either need to copy the objects (to change the owner) OR dive into ACLs that allow public reading.

I strongly recommend disabling ACLs. There is a reason they are disabled by default.

Providing the CF OAC identity/condition s3:ListBucket access (to the bucket arn:aws:s3:::<mybucket>, not a path arn:aws:s3:::<mybucket>/*) should change the behavior from 403 to 404 when the object does not exist. You should still get a 403 if it is actually an access problem, but will start getting 404 if it is an object name/location problem.

If all else fails you try S3 access logs (is the request getting there and what is being requested by whom).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .