Custom domain cert + cloudfront + s3 origin, acc denied


I'm using a static s3 website for origin, cloudfront and a certificate deployed to cloudfront. Having an issue: loads just fine. gives error:

<error> <code>AccessDenied</code> <message>Access Denied</message> ... </error>

Same thing happens when I request the domain directly: /index.html works, / does not.

How do I fix this? I've tried everything I can think of. Is there an S3 bucket configuration I'm missing?

Edit 1: (no "s") gives access denied. /index.html redirects to https and succeeds.
Edit 2: (note, no "s") loads just fine.
Edit 3: both http:/// and https give access denied.

Edited by: Cyrus on Oct 10, 2019 12:47 PM

Edited by: Cyrus on Oct 10, 2019 12:49 PM

Edited by: Cyrus on Oct 10, 2019 12:50 PM

asked 3 years ago32 views
2 Answers

Edit: I figured it out. There is a kind of magical combination you have to put together to get this right. Here's mine:

  1. Create a brand new S3 bucket with default (closed-off) permissions or remove all public access from the target bucket.
  2. Disable static website hosting. You don't need it.
  3. If you haven't already, get your SSL cert into Amazon so you can attach it to the cloudfront distribution which will be pointing to your S3 bucket.
  4. Create a cloudfront distribution pointing to the target S3 bucket, utilizing the cert.
  5. For the origin configuration, use the form for the origin, NOT the static website hosting URL (which should be disabled anyway).
  6. Let the cloudfront config automatically change the S3 bucket access ("restrict bucket access"). You want access to the bucket restricted to this cloudfront distribution ONLY (via a specific identity). No one should be hitting your S3 bucket directly, especially since it can serve via http (no "s").
  7. Under the cloudfront "general" tab (or during setup) set your default root object to "index.html" or whatever. Otherwise, requests to will show permission denied.

While doing all this, keep in mind that cloudfront is trying to cache things, so what you're seeing in your browser may not reflect the latest "truth" of your setup. That is, with long cache times, i think it is possible cloudfront could still serve pages even if you've accidentally cut off access the origin bucket. I set my cache times very low while testing to make sure none of this created confusion.

Edited by: Cyrus on Oct 11, 2019 6:42 AM

answered 3 years ago

Hey there :) I would like to know if I'm on the right direction about how can I update files (changes in my blog) any time that I need. I used to make it thanks a software by FTP but now I want to learn making it as a programmer, so is it possible to be done by (my website don't use cloud front):

  1. CLI AWS
  2. Visual studio code toolki aws

I noticed that making it drag and drop is not possible it is not updating

Where is the clear documentation on aws to make it?

Any help would be to appreciated

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions