WAF blocking file download from S3

Hi!

Assume S3 is the source of the error, then check for this (specially if the offending file is in a new bucket created recently): S3 Block Public Access settings If the failed request involves public access or public policies, then check the S3 Block Public Access settings on your account, bucket, or S3 access point. Starting in April 2023, all Block Public Access settings are enabled by default for new buckets.

You can look up this article for more details: Troubleshoot Access Denied (403 Forbidden) errors in Amazon S3

Does this help solve your issue?

You will not have waf in front of an s3 bucket unless your accessing the bucket via cloudfront.

You would have to explain your setup if you this waf is included.

However it sounds like a bucket policy could be the issue here.

Hi,

I understand you are getting 403 error while downloading file from S3.

Lets start with troubleshooting options. Lets explore this two options to add CORS headers on WAF blocked responses:

1. try using the feature of WAF - Custom Responses, where you can specify not only the error code to be returned but response headers too. So you can statically set CORS headers too. This approach won't be suitable though if you can't return static values in the cases where you want to honor multiple origin values and you can't return wildcard - *.
2. Use CloudFront's custom error pages that would intercept 403 errors that WAF would generate. Then, define a cache behavior corresponding to that custom error page with Lambda@Edge function attached to Origin Request/Response trigger which would add CORS headers to the response

I hope this helps. Let me know if I answered your question by up voting my response as accepted or if you have any follow-up.

Kind regards, Ahmed

Reference: [1] https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-for-blocked-requests.html [2] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GeneratingCustomErrorResponses.html