By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFront OAC Not Detecting Updated S3 Bucket Policy

0

I have set up a number of S3 buckets and enabled CloudFront distributions pointing to those buckets. When I enable Origin access control, I am prompted to "Create control setting" where I accept all the defaults. I then "Copy policy", "Go to S3 bucket permissions ", edit the (empty) Bucket policy, paste the policy, and save changes. I can see the provided bucket policy. However, when I "Save changes" in CloudFront, I see a yellow banner with:

The S3 bucket policy needs to be updated
Complete distribution configuration by allowing read access to CloudFront origin access control in your policy statement.

Repeating the process does not resolve the issue. I had a look through https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html - the only difference I see is that it specifies "AllowCloudFrontServicePrincipalReadOnly" for read-only access while the policy created by CloudFront specifies "AllowCloudFrontServicePrincipal". I am using "Amazon S3 managed keys (SSE-S3)" so I assume the SSE-KMS key policy step is not required.

I am sure I missed a step but cannot figure out which one. I can access the CloudFront distribution from the Internet without any issues. However, I am concerned that I have left a loophole.

Topics
StorageComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceWebsite ProvisioningSecurity, Identity, & ComplianceAmazon CloudFront
Language
English
nh905g
asked 8 months ago466 views
3 Answers
1
Accepted Answer

That banner will show up any time you modify the origin configuration in CloudFront. It just serves as a reminder, and is not actually indicating that your bucket policy is misconfigured.

If you are able to access the S3 bucket via the CloudFront distribution url, while block public access is enabled, then your OAC and bucket policy are likely configured correctly.

You can test this by removing the bucket policy and then creating an invalidation in CloudFront to clear the cache. An invalidation of /* will clear the entire cache. If you don't invalidate the cache CloudFront will continue to serve objects from the cache.

Once the invalidation is complete you can try accessing bucket objects through the CloudFront distribution url. You should see an Access Denied message confirming that the bucket policy has been removed.

Once you add back the bucket policy you'll once again be able to access your objects from the CloudFront distribution url.

AWS
Trevor Schiavone
answered 8 months ago
profile pictureAWS
EXPERT
Jose Guay
reviewed 8 months ago
  • nh905g
    8 months ago

    Thanks for the clarification. I deleted the bucket policy and got AccessDenied with OAC enabled or if I switched CloudFront to Public. When I restored the bucket policy and enabled OAC, I was able to access my website. Switching CloudFront to Public returned AccessDenied, which is expected since my S3 bucket is not set to public.

    The wording of the banner seems a bit 'strong' - it implies that the GUI is checking the S3 bucket policy rather than reminding me to check. If anything, it should get me to check if the permissions are too lax - I will know if I did not implement the bucket policy because of the AccessDenied errors.

  • Trevor Schiavone
    8 months ago

    Thank you, thats great feedback!

0

I understand you are seeing the challenge in setting up cloudfront.

You are in right direction as you already highlighted the difference, there is re:Post Knowledge Center Article, please follow that as is, you should be able to pass the error.

Additional Reference:

Restricting access to an Amazon S3 origin

Hope you find this helpful.

Comment here if you have additional questions or see any issues further, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 8 months ago
0

Thanks for the fast response. Your references contain a newer version of the bucket policy than the one that the CloudFront configuration generates automatically. I updated the newer version of the bucket policy with my Resource and AWS:SourceArn values from the CloudFront recommended policy. I ran the Access Analyzer which reported no errors, and saved the updated policy.

Unfortunately, if I go back to CloudFront, edit my Origin Settings, and "Save changes" , I get the same banner as before. I can access the S3 bucket via the CloudFront distribution endpoint, but I believe that worked before I set OAC. I verified that the S3 bucket has "Block all public access=On".

nh905g
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content