Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Minecraft 1.21.124 APK Download Public Access & CloudFront Issues S3

1

Hi team,

I'm running into a strange issue with a specific object I'm hosting on S3 for a game launcher I'm testing. This is the object I'm having trouble with:

https://s3.ap-southeast-1.amazonaws.com/minecraft-1.21-mod-apk/index.html

I'm hoping someone here might have some insight, as I've been stuck on this for a bit. Below is a quick breakdown of my setup and the problem.

Current Configuration

My goal is to reliably serve this client package to users. The current AWS setup is fairly standard:

  • S3 Bucket: Located in ap-southeast-1 with Block Public Access turned OFF.
  • Object Permissions: The object itself has been set to public-read via ACLs.
  • CloudFront: I have a CloudFront distribution pointed at the S3 bucket origin.
  • Origin Access: I am using an Origin Access Identity (OAI) to restrict direct S3 access and serve content only through CloudFront.

The Problem

When I use the direct S3 object URL, the download works as expected. However, when I try to access the file through its associated CloudFront URL, I intermittently receive a 403 Forbidden error. It doesn't happen every time, which is making it very difficult to debug.

Troubleshooting Steps Taken

So far, I've gone through the usual checklist to resolve this with no luck:

  • Verified the bucket policy correctly grants s3:GetObject permission to the OAI.
  • Created a full cache invalidation (/*) in the CloudFront distribution.
  • Checked CloudWatch and S3 access logs, but they don't show any obvious denial reasons.
  • Confirmed there are no firewall or WAF rules that would be blocking the requests.

Has anyone encountered issues serving specific game client packages like this via CloudFront? Is it possible there's some specific metadata or header requirement for .apk files that I'm missing which is causing the intermittent 403s?

Any advice would be greatly appreciated. Thanks

Topics
Game Tech
Tags
Game Tech
Language
English
asked 17 days ago5.3K views
2 Answers
0

Based on your description, there are several potential issues that could be causing the intermittent 403 Forbidden errors when accessing your Minecraft mod APK through CloudFront.

First, there's a fundamental conflict in your setup. You've mentioned that you have Block Public Access turned OFF on your S3 bucket with public-read ACLs on the object, but you're also using an Origin Access Identity (OAI) with CloudFront. These approaches are at odds with each other - OAI is designed to work with private S3 buckets, not public ones.

Here are the likely causes and solutions:

  1. Conflicting access methods: When using CloudFront with OAI, your S3 bucket should have Block Public Access turned ON, not off. The OAI pattern is specifically designed to restrict direct S3 access while allowing CloudFront to serve the content.

  2. Bucket policy configuration: Ensure your bucket policy correctly grants the CloudFront OAI permission to access your objects. The policy should look something like:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity YOUR_OAI_ID"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}

  1. Consider upgrading to Origin Access Control (OAC): OAC is the newer, more secure replacement for OAI. It provides better security and supports additional S3 features.

  2. Intermittent issues: The fact that the errors are intermittent suggests there might be caching issues or race conditions. When you make changes to permissions, it can take time for them to propagate fully.

For a more secure approach:

  1. Enable Block Public Access on your S3 bucket
  2. Remove the public-read ACLs from your objects
  3. Configure your bucket policy to only allow access from your CloudFront distribution
  4. Ensure your CloudFront distribution is properly configured with OAI/OAC

This approach is more secure than allowing public access to your S3 bucket, as it ensures users can only access your content through CloudFront, giving you better control over distribution and potentially reducing your S3 data transfer costs.
Sources
Request for Help: Access Denied Error with CloudFront and S3 Bucket Policy | AWS re:Post
Remediating exposures for Amazon S3 buckets - AWS Security Hub
Access Denied for CloudFront to S3 | AWS re:Post

answered 17 days ago
0

Hello Padma,

CloudFront does not require any special headers or metadata for .apk files, and the file type itself does not influence how CloudFront processes the request. If you are experiencing intermittent 403 errors when accessing the file through CloudFront, the issue is almost certainly related to permission configuration or CloudFront behavior rather than the APK object itself.

When troubleshooting, it is important to distinguish whether the 403 is returned by S3 or generated by CloudFront before the request reaches S3. If S3 returns the AccessDenied error, CloudFront logs typically show x-edge-result-type as Error or AccessDenied, and you can also find a corresponding 403 entry in your S3 access logs. If the 403 is generated by CloudFront, the request will not appear in S3 logs at all. This usually indicates issues such as invalid or mismatched OAI/OAC permissions, expired or malformed signed URLs, WAF or geo restrictions, or CloudFront rejecting the origin request due to policy conditions.

In your current setup, you are using an OAI, applying public-read ACLs on objects, and keeping S3 Block Public Access disabled. This combination is known to cause inconsistent and sometimes conflicting permission behavior. A more reliable configuration is to enable S3 Block Public Access, switch your bucket to Bucket owner enforced mode to disable object ACLs entirely, and manage all access strictly through a bucket policy. In addition, AWS now recommends using OAC (Origin Access Control) instead of OAI, since OAC does not rely on ACLs and provides a clearer and more robust authorization model.

Finally, all public access should be routed through CloudFront rather than exposing S3 URLs directly. This improves security and reduces cost, because data transferred from S3 to CloudFront is free, whereas serving data directly from S3 to the internet incurs higher bandwidth charges.

Here is the Key AWS Documentation References:

CloudFront access to private S3 content

S3 Object Ownership – Bucket owner enforced

CloudFront pricing

Hope this helps.

AWS
answered 3 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content