Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

CloudFront 403 errors with S3 (SSE-S3)

0

We have an S3 bucket with existing objects, and recently I've enabled SSE-S3 as the Encryption setting for the bucket, as the bucket was not encrypting. So, given this fact, all previously existing objects are not encrypted, but recently created ones are encrypted.

We set up a CloudFront distribution using the S3 bucket as origin, and we allowed the CloudFront console "wizard" to update de bucket policy to allow GeoObject requests from the distribution Origin.

With this setup, all previous S3 objects are accessible via CloudFront, but recently created ones are not. I was thinking of a KMS permission-related problem, but since we are using SSE-S3 and not SSE-KMS, this should not be the case.

Any ideas of what could be the problem? I tried looking in CloudTrail logs, but related events could be found :(

BTW: this is in the us-east-1 (Virginia) region.

This is the error message shown in the browser:

Browser error message

This is the bucket policy:

{
    "Version": "2012-10-17",
    "Id": "S3-Console-Auto-Gen-Policy-1657210423217",
    "Statement": [
        {
            "Sid": "S3PolicyStmt-DO-NOT-MODIFY-1657210422966",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<MY-BUCKET>/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <MY-OAI>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<MY-BUCKET>/*"
        }
    ]
}

This is the current bucket encryption setting:

Encryption setting

  • iwasa ESPERTO
    2 anni fa

    Hi, @gvasquez.

    There may be a problem with your bucket policy. Can you provide it?

  • gvasquez
    2 anni fa

    @iwasa I just provided a "redacted" version of the bucket policy

Argomenti
ArchiviazioneNetworking e distribuzione di contenuti
Tag
Servizio di archiviazione semplice di AmazonAmazon CloudFrontCrittografia
Lingua
English
gvasquez
posta 2 anni fa1057 visualizzazioni
2 Risposte
0

403, i.e. some permission issue...

Assuming you are not allowing access via direct S3 URL

profile pictureAWS
Jules_N
con risposta 2 anni fa
  • gvasquez
    2 anni fa

    @Jules_N I just update the question adding the bucket policy (with account & bucket details redacted) and, also provided an screenshot for encryption settings

0

Hi,

Do you have WAF enabled for Cloudfront. Not sure how that could impact SSE-S3 object request but just good to rule that out. If WAF enabled, you might want to check this document - https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-error-request-blocked/

--Syd

profile picture
Syd
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente