3 Answers
- Newest
- Most votes
- Most comments
0
Hello.
Do you mean using S3 as the CloudFront origin?
In such cases, a possible cause of access denial is that the S3 bucket policy is not set correctly.
Try updating the bucket policy by setting the OAC described in the following document.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
The bucket policy allowing reads is as follows.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowCloudFrontServicePrincipalReadOnly",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<S3 bucket name>/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
}
}
}
}
Also, if S3 is encrypted with KMS, the KMS key policy must be updated.
{
"Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS account ID>:root",
"Service": "cloudfront.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
}
}
}
0
Thank you for your response
I can access.jpg and.html files, but not.gz image file, which are application image file. referring to ECS
answered 8 months ago
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 months ago
How do you access S3 from ECS? Also, since the object is ".gz", does that mean it is a gzip compressed file? How do you set up your S3 bucket policy?
Hello,
I am having a problem with my CloudFront as I'm also getting a AccessDenied.
I have setup everything like you said following the documentation here https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html But I am still getting an error
I think this is because my KMS key is not in the same account as my CloudFront distribution. Is it possible ?