By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

s3 static website not returning custom error.html

0

I've set up a React+Cloudfront+S3 SPA. Cloudfront has an OAC and the S3 bucket policy only allows CF to access the contents of the bucket. All public access is blocked. The bucket is configured for static website enabled. There is an index.html and error.html configured and those resources exist in the bucket with those names.

Bucket Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipalReadOnly",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::cik-front-end/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::339712767340:distribution/EQDQLH88I63IN"
                }
            }
        }
    ]
}

Problem

All of this works. I can visit my CF url and see the react application. However, if I attempt to access some non-existent resource in the bucket (for example https://xyz.cloudfront.net/foo, I get the following error:


<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  <RequestId>VZEPZ2TPB5HX0W2V</RequestId>
  <HostId>2MmWdKGa13rUK0YTsQ+5GJPJnEgzJNvuLV+qL0Soc/taJpMaV4yd2+gVdvfIa5cjVtiZwNgUXDg=</HostId>
</Error>

Why is this not returning my error.html, as configured for the S3 bucket?

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon CloudFront
Language
English
dboardman
asked a month ago391 views
1 Answer
2

Hello.

Have you configured custom error responses in CloudFront?
By setting a custom error response, you can display a custom error page when the corresponding error occurs.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GeneratingCustomErrorResponses.html

"AccessDenied" will probably become "404 NotFound" if you allow the "s3:ListBucket" action in the S3 bucket policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipalReadOnly",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": ["s3:GetObject", "s3:ListBucket"],
            "Resource": ["arn:aws:s3:::cik-front-end/*", "arn:aws:s3:::cik-front-end"],
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::339712767340:distribution/EQDQLH88I63IN"
                }
            }
        }
    ]
}
profile picture
EXPERT
Riku_Kobayashi
answered a month ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed a month ago
  • dboardman
    a month ago

    You need ListBucket access in addition to the documentation you provided on CloudFront custom errors?

  • dboardman
    a month ago

    Looks like that doesn't quite work. The error becomes:

    <Error>
<Code>NoSuchKey</Code>
<Message>The specified key does not exist.</Message>
<Key>foo</Key>
<RequestId>PPDBMSCG5KP4EGF2</RequestId>
<HostId>
IUQVZ3dCYwqDSeKKPWTbes+QDgezcm5SAX5SItpGx2Nc8NIgBF+2LsA9NH8NqMC4UgXeAnwaLlw=
</HostId>
</Error>
  • Osvaldo Marte EXPERT
    a month ago

    Have you set a custom error response? Because if you didn't you will continue getting that default error.

  • dboardman
    a month ago

    @osvaldo yes. I have:

    1. changed the bucket policy to reflect this answer's suggestion
    2. updated the cloudfront custom error policy for 404 and 403
    3. used my /error.html file and the custom response

    None of these actually show that html document. It simply changed the error to the NoSuchKey (posted above).

    EDIT: I tried again a few moments later and it works. I guess it was cached.

  • Osvaldo Marte EXPERT
    a month ago

    can you confirm that the error.html file is located at the root of your S3 bucket? You need to specify the correct path to the error.html file relative to the root of the S3 bucket.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content