- Newest
- Most votes
- Most comments
Hi mlissner
From what I understand, you firstly had created an S3 website, with an error page. The error page is accessible at https://cl-error-docs-static-website.s3.amazonaws.com/errors_5xx/404.html
So first off, the reason you can access the above URL is due to your bucket having an open policy. If you were using the bucket website URL, it would look like this: http://cl-error-docs-static-website.s3-website-us-east-1.amazonaws.com This is because S3 website endpoints are only HTTP accessible.
Now looking at your original URL, you have used the S3 endpoint URL in your CloudFront Origin configuration. I would advise you to do the following:
- Remove the open bucket policy.
- Block all public access
- Disable the S3 website on the bucket.
- Edit your CloudFront Origin for your S3 bucket
- S3 bucket access = Yes use OAI (bucket can restrict access to only CloudFront)
- If you do not have an Origin Access Identity, create one and then select it.
- Bucket policy = Yes, update the bucket policy
- Save your changes.
This method will make your bucket private, as well as create an identity to allow access to your bucket only from CloudFront. Also make sure to add an error page 403, as S3 will return an error 403 access denied when you try to access an object that does not exist. https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/ https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
One last note, if your bucket needs to be publicly accessible, then use the S3 website URL as your origin, and make your origin a custom origin instead.
Let me know if this helps.
Relevant content
- asked a year ago
- asked 6 months ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
I finally got this done, but it was a real pain. The final answer uses OAI like you suggest, but the important missing piece is that you have to set a request policy of CORS-S3Origin. Until I did that the OAI didn't work, and sent a
SignatureDoesNotMach
error. I'm also miffed that doing this as a static website totally didn't work, but maybe there's some secret config that I needed for that. Thank you. This "simple" thing took days. I'm glad it's working though.