I use an Amazon Simple Storage Service (Amazon S3) bucket as the origin of my Amazon CloudFront distribution. However, I can't access or download files in my Amazon S3 bucket.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Troubleshoot 403 Access Denied errors
If CloudFront returns 403 Access Denied errors, then see one of the following AWS Knowledge Center articles based on your use case:
Check your CloudFront geographic restrictions
If your distribution uses geographic restrictions, then verify that you didn't restrict the countries that your requests originated from.
Verify that you're not enforcing HTTPS with S3 website endpoints
Amazon S3 website endpoints don't support HTTPS. If you used the AWS CLI, API, or AWS SDK to configure a CloudFront distribution, then verify that you didn't enforce HTTPS with your website endpoint origin.
To check if you use HTTPS, use the GetDistributionConfig API or get-distribution-config AWS CLI command to get the distribution configuration. If the OriginProtocolPolicy is set to https-only, then modify the OriginProtocolPolicy to use http-only.
To use HTTPS, use CloudFront with a S3 REST API endpoint origin. For more information, see Characters that might require special handling.
Confirm that your S3 objects are under 50 GB
The maximum allowed file size for HTTP GET, POST, and PUT requests is 50 GB. If a file is larger than 50 GB, then you receive a 400 "BadRequest" error.
For more information, see General quotas on distributions.
Check for special characters in S3 object key names
If you used special characters in your S3 object key name, then you might need to modify the characters for API compliance. For more information, see Object key naming guidelines.
Confirm that you didn't use default root objects from a subdirectory
A CloudFront distribution doesn't return default root objects from a subdirectory, even when you configured the object in your distribution. For more information, see Specify a default root object.
As a workaround, you can use Lambda@Edge to return the default root object from a subdirectory.
Confirm that you didn't use host headers with an S3 origin
For Amazon S3 origins, you can't cache based on the Host header or forward the Host header. For more information, see Select the headers to base caching on.
Troubleshoot the "No Access-Control-Allow-Origin" error
To resolve this issue, see How do I resolve the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront?
Related information
Troubleshooting error response status codes in CloudFront