Custom domain cert + cloudfront + s3 origin, acc denied


I'm using a static s3 website for origin, cloudfront and a certificate deployed to cloudfront. Having an issue: loads just fine. gives error:

<error> <code>AccessDenied</code> <message>Access Denied</message> ... </error>

Same thing happens when I request the domain directly: /index.html works, / does not.

How do I fix this? I've tried everything I can think of. Is there an S3 bucket configuration I'm missing?

Edit 1: (no "s") gives access denied. /index.html redirects to https and succeeds.
Edit 2: (note, no "s") loads just fine.
Edit 3: both http:/// and https give access denied.

Edited by: Cyrus on Oct 10, 2019 12:47 PM

Edited by: Cyrus on Oct 10, 2019 12:49 PM

Edited by: Cyrus on Oct 10, 2019 12:50 PM

posta 5 anni fa300 visualizzazioni
2 Risposte

Edit: I figured it out. There is a kind of magical combination you have to put together to get this right. Here's mine:

  1. Create a brand new S3 bucket with default (closed-off) permissions or remove all public access from the target bucket.
  2. Disable static website hosting. You don't need it.
  3. If you haven't already, get your SSL cert into Amazon so you can attach it to the cloudfront distribution which will be pointing to your S3 bucket.
  4. Create a cloudfront distribution pointing to the target S3 bucket, utilizing the cert.
  5. For the origin configuration, use the form for the origin, NOT the static website hosting URL (which should be disabled anyway).
  6. Let the cloudfront config automatically change the S3 bucket access ("restrict bucket access"). You want access to the bucket restricted to this cloudfront distribution ONLY (via a specific identity). No one should be hitting your S3 bucket directly, especially since it can serve via http (no "s").
  7. Under the cloudfront "general" tab (or during setup) set your default root object to "index.html" or whatever. Otherwise, requests to will show permission denied.

While doing all this, keep in mind that cloudfront is trying to cache things, so what you're seeing in your browser may not reflect the latest "truth" of your setup. That is, with long cache times, i think it is possible cloudfront could still serve pages even if you've accidentally cut off access the origin bucket. I set my cache times very low while testing to make sure none of this created confusion.

Edited by: Cyrus on Oct 11, 2019 6:42 AM

con risposta 5 anni fa

Hey there :) I would like to know if I'm on the right direction about how can I update files (changes in my blog) any time that I need. I used to make it thanks a software by FTP but now I want to learn making it as a programmer, so is it possible to be done by (my website don't use cloud front):

  1. CLI AWS
  2. Visual studio code toolki aws

I noticed that making it drag and drop is not possible it is not updating

Where is the clear documentation on aws to make it?

Any help would be to appreciated

con risposta 4 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande