S3 Rest API Cloudfront error 403 using OAC
I followed the guide below to resolve a CloudFront 403 error, but am having no luck. https://repost.aws/knowledge-center/s3-rest-api-cloudfront-error-403
Here is a screenshot of the exact error message I am receiving when I use the CloudFront domain to access the website:
I checked the following settings following items that the guide suggested.
-
The origin domain name is 2023-05-12-at-website.s3.us-east-1.amazonaws.com
-
The s3 bucket is using Amazon S3 managed keys (SSE-S3) with AWS KMS encryption enabled
-
I am using OAC so Here is my S3 bucket policy giving CloudFront Access. Amazon S3 Block Public Access is enabled.
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::2023-05-12-at-website/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::(my-AWS-Account-Number):distribution/(my CloudFront Distribution)"
}
}
}
]
}
-
The AWS account owns the object and the requested objects exist in the S3 bucket. I also defined a default root object since the client will be requesting the root of my distribution to access the site.
-
I verified that I can access and download the s3 objects from the AWS CLI.
What am I missing here?
- Newest
- Most votes
- Most comments
Check that you have configured the signing behavior correctly for your Origin Access Control ID. Per the documentation, this should be set to "Always."
If you have accidentally set it to "Never" this will effectively turn off OAC and require the bucket to be publicly accessible.
Something worth fixing that might solve it if you're lucky is changing your policy's Version field to "2012-10-17".
As per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html, "2008-10-17 - This was an earlier version of the policy language. You might see this version on older existing policies. Do not use this version for any new policies or when you update any existing policies. Newer features, such as policy variables, will not work with your policy."
If you're using KMS encryption, make sure that CloudFront has permission to use the key to decrypt the object(s).
You may need to add a statement to the KMS key policy - here is an example:
{
"Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS account ID>:root",
"Service": "cloudfront.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
}
}
}
From AWS console I am using:
Encryption key type Amazon S3 managed keys (SSE-S3)
I didn't see any keys when I went to the KMS service. Do I need to create a key for OAC to work?
One thing I notice is when I access an object URL(https://2023-05-12-at-website.s3.amazonaws.com/config.js) directly I get the same error message. This is expected, correct since I blocked public access?
That was the culprit!
After changing Signing Behavior from "Do not sign requests" to "Sign requests" I can now access the S3 website through the CloudFront distribution URL.
Relevant content
- asked 2 years ago
- asked 7 months ago
- asked a year ago
- asked 2 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Tried it. Unfortunately, no luck.