By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't acces Cloudfront distribution + S3 bucket from custom domain

0

Hi, I've been learning terraform, and created a S3 bucket hosting a nuxt app and a cloudfront distribution pointing to said bucket. This setup is working perfectly when accessing the bucket via the Distrib url, however I want to use a custom subdomain from a domain name I own (I'm using OVH for the domain). I've set up the DNS record like so: [xxxx.yyyy.fr] CNAME [Distrib URL]. I also created an ACM certificate pointing to said subdomain, had it validated using DNS entries, and added it to the distrib. I have the custom subdomain set up in the cloudfront Alternate Domain Names.

To note: I have set up both the certificate and alternate domain name as "xxxx.yyyy.fr" and not "*.xxxx.yyyy.fr", I don't know if that could be the issue.

Whenever I visit the subdomain, I'm getting a "This site can't be reached", "DNS_PROBE_FINISHED_NXDOMAIN". I've also checked the CNAME record propagation, and it seems to be configured properly.

I've set up the bucket Policy like so:

{
    "Version": "2008-10-17",
    "Id": "Policy",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[REDACTED BUCKET NAME]/*"
        }
    ]
}

Here are the S3 CORS policy

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "POST",
            "GET",
            "HEAD",
            "DELETE",
            "PUT"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 0
    }
]

Any ideas as to why I can use the distrib's url but not my custom subdomain ? Thanks.

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon CloudFrontTerraform
Language
English
Kevin-DDR
asked 2 months ago115 views
2 Answers
0

It sounds like you've set up the S3 bucket as a website (I get that from the CORS settings). You don't need to do this with CloudFront. Using Origin Access Control (OAC) you can set up S3 so that only the CloudFront distribution that you own can access it; and the S3 bucket can be set to "private" (ii.e. no public access). Then (because the S3 bucket isn't set up to be a website) you don't need to configure CORS. When you configure the OAC identity it will tell you what the bucket policy needs to be.

For more information: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 months ago
  • Klod
    a month ago

    Hello and thank you for your reply! If I already have a S3 bucket configured as static website can I still use it and disable static hosting, or do I need to create a brand new bucket? Thanks

  • Brettski-AWS EXPERT
    a month ago

    You can just disable static hosting.

0

The error message indicates a DNS problem.

You mention that you used the distribution URL for the value in the CNAME record - this should be a domain name, not a URL. Review the documentation for setting this up and testing it.

AWS
EXPERT
Paul_L
answered 2 months ago
profile picture
EXPERT
Gary Mclean
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content