CloudFront 403 errors with S3 (SSE-S3)
We have an S3 bucket with existing objects, and recently I've enabled SSE-S3 as the Encryption setting for the bucket, as the bucket was not encrypting. So, given this fact, all previously existing objects are not encrypted, but recently created ones are encrypted.
We set up a CloudFront distribution using the S3 bucket as origin, and we allowed the CloudFront console "wizard" to update de bucket policy to allow GeoObject requests from the distribution Origin.
With this setup, all previous S3 objects are accessible via CloudFront, but recently created ones are not. I was thinking of a KMS permission-related problem, but since we are using SSE-S3 and not SSE-KMS, this should not be the case.
Any ideas of what could be the problem? I tried looking in CloudTrail logs, but related events could be found :(
BTW: this is in the us-east-1 (Virginia) region.
This is the error message shown in the browser:
This is the bucket policy:
{
"Version": "2012-10-17",
"Id": "S3-Console-Auto-Gen-Policy-1657210423217",
"Statement": [
{
"Sid": "S3PolicyStmt-DO-NOT-MODIFY-1657210422966",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<MY-BUCKET>/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <MY-OAI>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<MY-BUCKET>/*"
}
]
}
This is the current bucket encryption setting:
403, i.e. some permission issue...
Assuming you are not allowing access via direct S3 URL
- please check the Restricting access to Amazon S3 content by using an origin access identity (OAI)
- Check (and post if you can) the config of the bucket policy pertaining to the OAI - the encryption config and that the principal OAI is granted access
@Jules_N I just update the question adding the bucket policy (with account & bucket details redacted) and, also provided an screenshot for encryption settings
Hi,
Do you have WAF enabled for Cloudfront. Not sure how that could impact SSE-S3 object request but just good to rule that out. If WAF enabled, you might want to check this document - https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-error-request-blocked/
--Syd
Relevant questions
How can customers find out the S3 bucket with the highest cost or sort the cost for each S3 bucket?
Accepted Answerasked 2 years agoS3 object lock on existing S3 objects?
Accepted AnswerUsing S3 bucket as a file server for the public
asked 2 months agoHow to determine if an object is encrypted with a "regular" S3-SSE KMS key, or an S3 Bucket Key with S3 Inventory?
Accepted Answerasked 2 years agoAccess denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfront
asked 8 months agoCloudFront 403 errors with S3 (SSE-S3)
asked a month agoIssue with S3 bucket
asked 4 months agoVirtual hosting an S3 bucket using Cloudfront + SSL
asked 3 years agoS3 Bucket Keys and CRR
Accepted Answerasked 2 years agoCloudtrail S3 bucket objects
asked 2 months ago
Hi, @gvasquez.
There may be a problem with your bucket policy. Can you provide it?
@iwasa I just provided a "redacted" version of the bucket policy