Get AccessDenied from all sub-paths using Cloudfront with S3 Origin and Access Control


First of all I have several static sites setup like this and only one is having problems, so I've been trying to compare what differs but I cannot find anything.

But let's focus on the one that isn't working, Any sub-path like /om gets an AccessDenied error.

There is a file called /om/index.html that is supposed to be loaded. Another static site I have called has the same setup and works fine. If you for example go to

The CloudFront distro is setup with mostly defaults, only added a Certificate from ACM, index.html as default root object, use only North American and European price class.

Under origins I've chosen the S3 endpoint that is listed by default (, Origin access control, and I've installed this bucket policy in the bucket.

    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": ""
            "Action": "s3:GetObject",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::redact:distribution/redact"

The bucket itself is also default, no static site hosting enabled, no public access, just this policy.

2 Answers

This is just AWS Cloudfront working as designed, I just forgot about this detail.

I want to use the REST API endpoint for S3 obviously because I prefer having buckets without public access. But using the REST API endpoint of S3 means Cloudfront is unable to lookup index files in sub-directories. It can only lookup the default root object in root.

So the solution used to be to create a Lambda that would do the lookup for you, but now there are CF functions that should be simpler, so I'm going to try that.

The other workaround is of course to enable static website hosting on the bucket, use the S3 website endpoint, but that means I also need to open up my bucket for public access.

answered a year ago
  • Also static website hosting is http only - no https!


How long ago did you set the bucket up? I've seen this before and sometimes it's a matter of letting the S3 control plane replicate information globally. The way to tell is to look at the URL when you get the Access Denied message. If you see the bucket URL and not CloudFront - just wait.

Because you've created the bucket in a region that isn't us-east-1 the S3 control plane (which is global) hasn't yet replicated the information that the bucket is in eu-north-1 so it uses a redirect to the browser to get you to the right place in the short term. But because of the bucket policy the browser access is rejected. It's temporary and only occurs if the bucket is quite new.

Edit to add detail from OP comment

You don't need to do anything special to use CloudFront to publish a non-public S3 bucket and still have access to sub-directories. Check out the documentation because it gives instructions on how to do exactly that. It's better than using Lambda@Edge because it is zero complexity and zero extra cost.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions