By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFront 403 errors with S3 (SSE-S3)

0

We have an S3 bucket with existing objects, and recently I've enabled SSE-S3 as the Encryption setting for the bucket, as the bucket was not encrypting. So, given this fact, all previously existing objects are not encrypted, but recently created ones are encrypted.

We set up a CloudFront distribution using the S3 bucket as origin, and we allowed the CloudFront console "wizard" to update de bucket policy to allow GeoObject requests from the distribution Origin.

With this setup, all previous S3 objects are accessible via CloudFront, but recently created ones are not. I was thinking of a KMS permission-related problem, but since we are using SSE-S3 and not SSE-KMS, this should not be the case.

Any ideas of what could be the problem? I tried looking in CloudTrail logs, but related events could be found :(

BTW: this is in the us-east-1 (Virginia) region.

This is the error message shown in the browser:

Browser error message

This is the bucket policy:

{
    "Version": "2012-10-17",
    "Id": "S3-Console-Auto-Gen-Policy-1657210423217",
    "Statement": [
        {
            "Sid": "S3PolicyStmt-DO-NOT-MODIFY-1657210422966",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<MY-BUCKET>/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <MY-OAI>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<MY-BUCKET>/*"
        }
    ]
}

This is the current bucket encryption setting:

Encryption setting

  • iwasa EXPERT
    2 years ago

    Hi, @gvasquez.

    There may be a problem with your bucket policy. Can you provide it?

  • gvasquez
    2 years ago

    @iwasa I just provided a "redacted" version of the bucket policy

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon CloudFrontEncryption
Language
English
gvasquez
asked 2 years ago1038 views
2 Answers
0

403, i.e. some permission issue...

Assuming you are not allowing access via direct S3 URL

profile pictureAWS
Jules_N
answered 2 years ago
  • gvasquez
    2 years ago

    @Jules_N I just update the question adding the bucket policy (with account & bucket details redacted) and, also provided an screenshot for encryption settings

0

Hi,

Do you have WAF enabled for Cloudfront. Not sure how that could impact SSE-S3 object request but just good to rule that out. If WAF enabled, you might want to check this document - https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-error-request-blocked/

--Syd

profile picture
Syd
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content