CloudFront 403 errors with S3 (SSE-S3)
We have an S3 bucket with existing objects, and recently I've enabled SSE-S3 as the Encryption setting for the bucket, as the bucket was not encrypting. So, given this fact, all previously existing objects are not encrypted, but recently created ones are encrypted.
We set up a CloudFront distribution using the S3 bucket as origin, and we allowed the CloudFront console "wizard" to update de bucket policy to allow GeoObject requests from the distribution Origin.
With this setup, all previous S3 objects are accessible via CloudFront, but recently created ones are not. I was thinking of a KMS permission-related problem, but since we are using SSE-S3 and not SSE-KMS, this should not be the case.
Any ideas of what could be the problem? I tried looking in CloudTrail logs, but related events could be found :(
BTW: this is in the us-east-1 (Virginia) region.
This is the error message shown in the browser:
This is the bucket policy:
{
"Version": "2012-10-17",
"Id": "S3-Console-Auto-Gen-Policy-1657210423217",
"Statement": [
{
"Sid": "S3PolicyStmt-DO-NOT-MODIFY-1657210422966",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<MY-BUCKET>/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <MY-OAI>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<MY-BUCKET>/*"
}
]
}
This is the current bucket encryption setting:
- 최신
- 최다 투표
- 가장 많은 댓글
403, i.e. some permission issue...
Assuming you are not allowing access via direct S3 URL
- please check the Restricting access to Amazon S3 content by using an origin access identity (OAI)
- Check (and post if you can) the config of the bucket policy pertaining to the OAI - the encryption config and that the principal OAI is granted access
@Jules_N I just update the question adding the bucket policy (with account & bucket details redacted) and, also provided an screenshot for encryption settings
Hi,
Do you have WAF enabled for Cloudfront. Not sure how that could impact SSE-S3 object request but just good to rule that out. If WAF enabled, you might want to check this document - https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-error-request-blocked/
--Syd
Hi, @gvasquez.
There may be a problem with your bucket policy. Can you provide it?
@iwasa I just provided a "redacted" version of the bucket policy