Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Access Denied for Cloudfront to s3 (2025)

0

I am hosting a static website on s3 and using CloudFront (CDN) distribution domain name to access me website but have been receiving 'denied access' xml page instead. To save everyone time i have provided context and troubleshooting approaches i have already tried. Looking forward to everyone's solution and advice!

Context:

  • S3 settings :
  • Encryption - SSE-S3 (server-side encryption)
  • Static website hosting - disabled
  • Permission Block public access (ALL ON)
  • Bucket Policy (copied over from Cloudfront OAC policy) :
{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-cloud-website/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::1234:distribution/1234"
                }
            }
        }
    ]
}

Cloudfront/Origin Settings

  • Origin Domain: selected s3 bucket housing the website (example: cloud-website.s3.ap-southeast-2amazon.com)
  • OAC selected
  • HTTP redirect to HTTPS protocol policy selected

My troubleshooting so far:

  • Confirm i can access index.html url in s3 when block public access is OFF.
  • Turned off Block public access on s3 but still getting denied access via CDN domain.
Topics
ComputeNetworking & Content DeliveryStorage
Tags
Amazon CloudFrontDomain Name System (DNS)Website HostingAmazon Simple Storage Service
Language
English
asked a year ago411 views
3 Answers
2
Accepted Answer

Hello.

Will I get an error even if I enter the path exactly as shown below?

https://yyyyyy.cloudfront.net/index.html

The bucket policy appears to be correct.
The bucket policy you are using seems to be an old version, but it should be a policy to allow GetObject from S3, so I think it will work.
By the way, when you copy the policy when creating OAC, the version will be "2012-10-17" as shown below.
I recommend that you check whether "AWS:SourceArn" listed in the bucket policy is correct just to be sure.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#delete-oac-distribution-s3

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowCloudFrontServicePrincipalReadOnly",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudfront.amazonaws.com"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::<S3 bucket name>/*",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
            }
        }
    }
}
EXPERT
answered a year ago
EXPERT
reviewed a year ago
AWS
EXPERT
reviewed a year ago
1

Hi,

You probably want to follow step by step this very detailled troubleshooting guide to. find the root cause of your problem: https://repost.aws/knowledge-center/s3-website-cloudfront-error-403

Best,

Didier

EXPERT
answered a year ago
EXPERT
reviewed a year ago
-1

Based on the information provided, there are a few potential reasons for the Access Denied error you're experiencing when trying to access your static website through CloudFront:

  1. S3 Bucket Configuration: Since you have static website hosting disabled, make sure your CloudFront origin domain is set to the S3 REST API endpoint (e.g., bucket-name.s3.amazonaws.com) rather than the website endpoint.

  2. Origin Access Control (OAC): Ensure that the OAC is properly configured in CloudFront and that the S3 bucket policy correctly references your CloudFront distribution's ARN.

  3. Default Root Object: With static website hosting disabled, CloudFront may not serve the default root object (typically index.html) for subdirectories. You might need to implement a CloudFront function to append "index.html" to requests for directories.

  4. Bucket Policy: Double-check that the AWS account ID and distribution ID in the SourceArn condition of your bucket policy are accurate.

  5. CloudFront Cache Behavior: Verify that your cache behavior is set up to forward all necessary headers to the origin for OAC to work properly.

  6. Object Permissions: Ensure that the objects in your S3 bucket have the correct permissions for CloudFront to access them.

To troubleshoot further:

  1. Verify that the CloudFront distribution status is "Deployed".
  2. Try accessing your content directly through the CloudFront URL (d1234abcd.cloudfront.net) to isolate any DNS issues.
  3. Check CloudFront logs and S3 server access logs for more detailed error information.
  4. Ensure all IDs and ARNs in your configurations are correct.

If the issue persists after checking these points, you may need to implement a CloudFront function to handle directory indexes, or consider re-enabling static website hosting on your S3 bucket if that aligns with your use case.
Sources
Request for Help: Access Denied Error with CloudFront and S3 Bucket Policy | AWS re:Post
Access Denied for CloudFront to S3 static site | AWS re:Post

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content