CloudFront unable to access S3 origin secured by OAC through non-default behavior


My two S3 bucket origins work if they are attached to the Default () CloudFront Distribution Behavior, but from a Behavior with Path pattern /test/ I get AccessDenied error. Details below:

  • I have CloudFront Distribution, lets call it Dist1.
  • Dist1 has two S3 buckets as origins, lets call them bucket1 and bucket2.
  • Both origins have the same Origin Access Control
  • Bucket1 has a file test.txt with content "bucket1"
  • Bucket2 has a file test.txt with content "bucket2"
  • If I set bucket1 as the origin for the Default (*) behavior and navigate to http://dist1.url/test.txt I see the text "bucket1"
  • If I set bucket 2 as the origin for the Default (*) behavior and navigate to http://dist1.url/test.txt I see the text "bucket2"

So this leads me to believe that my bucket permissions are fine and my OAC is working, as I can access both buckets via the default behavior. But what I would like to achieve is that all request that go to http://dist1.url/test/* go to bucket2. So I've created another behavior with Path pattern /test/* and Origin bucket2. Thus, I would assume that navigating to http://dist1.url/test/test.txt I would see text "bucket2". However, I get a <Code>AccessDenied</Code> error.

For the behavior with Path pattern /test/* I've tried Cache policies CachingOptimized and CachingDisabled, but the results are the same. Origin request policy I've left empty.

Any ideas what I'm missing? All pointers are more than welcome, thanks!

1 Answer
Accepted Answer

Did you move your text.txt file to /test/test.txt in the bucket?

Unless you've configured a Lambda@Edge function to remove it, CloudFront will pass through the path when requesting the object.

  • I did not. Moving the file to /test/test.txt fixed the issue. Much appreciated.

