Cloudfront Distributions - General "The security token included in the request is invalid"

0

Hi, last friday, out of nowhere i got an alert "The security token included in the request is invalid". The alert showed just below Custom SSL certificate - optional in each one out of 6 distributions. I did nothing new and have no theory where this came from.

  • i do not have MFA enabled and I am logged in with the root user. There is only one Identity with permission only for route 53.
  • I immediately changed the root user password.
  • I contacted AWS support and they told me that out of paid support they can only advise me to go through these guides

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

there is nothing inside those articles which i changed or which i can suspect

  • All cloudfront distributions are connected on port 443 to the origin
  • All "Viewer protocol policy" is Redirect HTTP to HTTPS
  • Cache policies are Managed-CachingDisabled or Managed-CachingOptimized
  • Origin request policies are Managed-AllViewer
  • Protocols are HTTPS only
  • I use 2 simple coudfront functions for a long time Pls take a look at the image and if anyone has any idea what could trigger that or at least where i should dig, pls give me a hint. The security token included in the request is invalid
bgbs
asked 7 months ago338 views
4 Answers
0

Hello.

Is the IAM user performing that operation?
If you are operating as an IAM user, there is a possibility that the policy is insufficient.
Furthermore, even if you are using the root user, such an error may occur if operations are restricted by Organizations SCP, etc.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

profile picture
EXPERT
answered 7 months ago
  • Hi,

    No, as i explained the Root user is performing. IAM user only has AmazonRoute53FullAccess Permissions and Console Access disabled. IAM user is only used for dns-01 let's encrypt validation.

    • Regarding Organizations SCP: This account is NOT a member of an organization, hence it could not be restricted by Organizations SCP
    • Otherwise all works fine. I can create and edit distributions without any limitations ( at least what i have done so far) The setup is simple. Do you have any other idea what could that be?
0

Hi, bgbs. Do you use IaC for provisioning certificates and provisioning of CloudFront like Terraform or Cloudfromation?

profile picture
EXPERT
answered 7 months ago
  • No, Cloudfront Distributiuons are manually provisioned via the admin panel with the root user. I have 1 IAM user with permission AmazonRoute53FullAccess which i use to issue Let's Encrypt SSL with 3rd party service, where i add the Access key and Secret of this IAM user. That Access Key was created 55 days ago.

0

Thanks for your answer. Could you please confirm that the certificate is still valid and not expired?

profile picture
EXPERT
answered 7 months ago
  • The error shows in all distributions i have, and even when i start creating a new distribution, before even deploying it All SSL certificates are valid. Expiring at the end of next year.

    All SSL certificates Creating New Distribution

0

This is clearly a bug but Amazon don't appear to have a feedback page. I worked around it using help from this page Update cloudfront configuration using awscli https://stackoverflow.com/a/66960593

ct1003
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions