Can't acces Cloudfront distribution + S3 bucket from custom domain

Question

Hi, 
I've been learning terraform, and created a S3 bucket hosting a nuxt app and a cloudfront distribution pointing to said bucket.
This setup is working perfectly when accessing the bucket via the Distrib url, however I want to use a custom subdomain from a domain name I own (I'm using OVH for the domain).
I've set up the DNS record like so:
[xxxx.yyyy.fr] CNAME [Distrib URL].
I also created an ACM certificate pointing to said subdomain, had it validated using DNS entries, and added it to the distrib. I have the custom subdomain set up in the cloudfront Alternate Domain Names.

To note: I have set up both the certificate and alternate domain name as "xxxx.yyyy.fr" and not "*.xxxx.yyyy.fr", I don't know if that could be the issue.

Whenever I visit the subdomain, I'm getting a "This site can't be reached", "DNS_PROBE_FINISHED_NXDOMAIN".
I've also checked the CNAME record propagation, and it seems to be configured properly.

I've set up the bucket Policy like so:

```
{
    "Version": "2008-10-17",
    "Id": "Policy",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[REDACTED BUCKET NAME]/*"
        }
    ]
}
```

Here are the S3 CORS policy

```
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "POST",
            "GET",
            "HEAD",
            "DELETE",
            "PUT"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 0
    }
]
```

Any ideas as to why I can use the distrib's url but not my custom subdomain ? 
Thanks.

Answer

The error message indicates a DNS problem.

You mention that you used the distribution **URL** for the value in the CNAME record - this should be a domain name, not a URL. Review the [documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html) for setting this up and testing it.

Answer

It sounds like you've set up the S3 bucket as a website (I get that from the CORS settings). You don't need to do this with CloudFront. Using Origin Access Control (OAC) you can set up S3 so that only the CloudFront distribution that you own can access it; and the S3 bucket can be set to "private" (ii.e. no public access). Then (because the S3 bucket isn't set up to be a website) you don't need to configure CORS. When you configure the OAC identity it will tell you what the bucket policy needs to be.

For more information: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Can't acces Cloudfront distribution + S3 bucket from custom domain

関連するコンテンツ