By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Hosting HTTPS website using S3, AMC and CloudFront

0

I am trying to host a website using S3, ACM, CloudFront and Route53. I am getting access denied when trying to access it. I have done the following steps based on various AWS documentations, AWS blog posts and re:Post but nothing helped. Here are the steps: 1/ Created 2 S3 buckets - example.com and www.example.com. Root bucket is redirecting to www and www bucket has the index.html. 2/ Requested for AMC and added both the domains to it. Added the corresponding CNAMEs to hosted zone. Certificate is issued. 3/ created 2 cloudfront distribution one for www.example.com and one for example.com. 4/ www.example.com config - selected OAC for origin access, updated the www.example.com bucket policy, redirect http to https, attached the certificate. 5/ Added A record for both the distribution in hosted zone. Did I miss anything?

  • I have tried making the www.example.com bucket public and its object public (which is not needed in case of CloudFront) but still got the same error.
  • My S3 buckets are SSE-S3 encrypted.
  • Using Static website endpoints
  • no explicit deny bucket policy
  • Bucket and object owned by same account
Topics
StorageComputeNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceWebsite ProvisioningAmazon CloudFrontAmazon Route 53
Language
English
Niharika Singh
asked 4 months ago239 views
3 Answers
0
Accepted Answer
  1. Have you added the Alternative Domain names for your domain to cloudfronts configuration?
  2. Have you added access from cloudfront to the bucket Policy?

After Discussion

Your public S3 bucket is not used in this confiuguration and can be disabled.

Update your Root object on the distro to be index.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html

To perform a redirect you would need to use a Lambda@Edge as your using native S3 origin https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-redirect-url.html

profile picture
EXPERT
Gary Mclean
answered 4 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 4 months ago
  • Gary Mclean EXPERT
    4 months ago

    If you could accept this answer under me.. thanks

  • Gary Mclean EXPERT
    4 months ago

    Thank you very much Niharika

0
  1. Yes, I have added CNAME to the cloudfront distribution
  2. While creating the distribution and Origin access control settings, I copied the policy from OAC to the bucket. Here is the copy of the policy:

{ "Version": "2012-10-17", "Statement": { "Sid": "AllowCloudFrontServicePrincipalReadOnly", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<S3 bucket name>/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>" } } } }

Niharika Singh
answered 4 months ago
0

One additional information, not sure if it is helpful but thought to share. I have WAF enabled for my distribution and when I look at the 'Requests processed by AWS WAF for this distribution' I can see all the requests as 'allowed request'.

Niharika Singh
answered 4 months ago
  • Gary Mclean EXPERT
    4 months ago

    I think your trying to run an Web Enabled S3 bucket behind cloud front which will not work unless you setup CF like that Did you see my latest comments? Try your cloudfront url with index.html i.e. www.example.com/index.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content