Cloudfront Access Denied on Public S3 Bucket

The issue might depend on the configuration you have used for your CloudFront distribution.

Determine your distribution origin domain name's endpoint type as explained in the below document. This document also provides detailed troubleshooting steps https://aws.amazon.com/premiumsupport/knowledge-center/s3-website-cloudfront-error-403/

Please take a look at the below document too: https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/

Below are the basic steps for set up using a website endpoint as the origin, with anonymous (public) access allowed:

This configuration allows public read access on your website's bucket.

Note: When you use the Amazon S3 static website endpoint, connections between CloudFront and Amazon S3 are available only over HTTP. To use HTTPS for connections between CloudFront and Amazon S3, configure an S3 REST API endpoint for your origin.

1. Use the Amazon S3 console to create a bucket and turn on static website hosting on the bucket.

2. From the Static website hosting dialog box, copy the Endpoint of your bucket without the leading http://. The format is similar to DOC-EXAMPLE-BUCKET.s3-website-region.amazonaws.com. You need the endpoint in this format for a later step.

3. Add a bucket policy that allows public read access to the bucket that you created. Note: For this configuration, the S3 bucket's block public access settings must be turned off. If your use case requires the block public access settings to be turned on, use the REST API endpoint as the origin. Then, restrict access by an origin access control (OAC) or origin access identity (OAI).

4. Create a CloudFront web distribution. In addition to the distribution settings that you need for your use case, enter the following: For Origin domain, enter the endpoint that you copied in step 2. Note: Don't select the bucket from the dropdown list. The dropdown list includes only the S3 Bucket REST API endpoints that aren't used in this configuration.