Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Issues with Access Denied Error Using S3 REST Endpoint with CloudFront Configuration.

0

I've recently set up a CloudFront distribution to serve content from my S3 bucket (maliniresume) using the S3 REST API endpoint (maliniresume.s3.us-west-1.amazonaws.com) to ensure secure HTTPS connections between CloudFront and S3. However, despite following all the recommended steps, I'm still encountering an "Access Denied" error when trying to access my content through the CloudFront distribution. Here are the details of my setup: CloudFront Distribution Configuration: Origin Domain Name: maliniresume.s3.us-west-1.amazonaws.com

Origin Access: I've set up an Origin Access Control (OAC) for this bucket to control access. ( do not sign requests origin type s3)

Viewer Protocol Policy: Set to "Redirect HTTP to HTTPS" to ensure all user requests are secure. S3 Bucket Policy: I've copied and applied the bucket policy provided by CloudFront when setting up the OAC. Here's the policy: this is the error "This XML file does not appear to have any style information associated with it. The document tree is shown below.

AccessDenied Access Denied"

Could you please help me understand why I'm still facing this "Access Denied" issue? Are there any additional configurations or checks I should perform to resolve this? I've already verified that:

The OAC is correctly linked to my CloudFront distribution.

Public access to the S3 bucket is blocked.

I've invalidated the cache in CloudFront to ensure the latest configuration is in effect.

Any insights or steps to troubleshoot this would be greatly appreciated.

after running curl "<?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message></

Misc:- My s3 bucket was working fine before setting up CF distribution.

Also browser shows something like this. " https://d2j322d01bxiyd.cloudfront.net/ 403 (Forbidden) contentScript.js:2 Uncaught TypeError: Cannot use 'in' operator to search for 'animation' in undefined at Cr (contentScript.js:2:1395998) at 4448 (contentScript.js:2:1396281) at n (contentScript.js:2:1538728) at 3935 (contentScript.js:2:1491048) at n (contentScript.js:2:1538728) at 745 (contentScript.js:2:1490757) at n (contentScript.js:2:1538728) at contentScript.js:2:1697504 at contentScript.js:2:2054602 at contentScript.js:2:2054606" my S3 bucket have index.html, script.js, style.css. there is nothing like "contentScript.js"

  • Gary Mclean EXPERT
    a year ago

    Can you pls supply your bucket policy?

  • Malini Agrawal
    a year ago

    { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::maliniresume/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::<account id>:distribution/EO9YJD19H7YWS" } } } ] }

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
asked a year ago185 views
2 Answers
1
Accepted Answer

Given the JavaScript error message you're getting your script.js is calling something or your index.html is including something else.

Try going simple first - host a "Hello World" HTML page and see if that works and then add complexity from there.

Also, given that there is a 403 error here perhaps there is some other configuration in CloudFront?

AWS
EXPERT
answered a year ago
EXPERT
reviewed a year ago
  • Malini Agrawal
    a year ago

    hi, thank you for pointing out for CF configuration error! as I mentioned in my original question i did not used signed request, that was the problem as this new OAC advanced method does not rely on OAIs (used use the OAI ID in bucket policy) new OAC ruse SigV4 enhanced security. It resolved- steps, in CF distribution -origin tab-Origin access-Origin access-control created new OAC with signed (recommended) again copy S3 bucket permission and updated in s3 bucket. and it works. :-).

0

Based on the information provided, there are several potential reasons for the Access Denied error you're encountering with your CloudFront distribution and S3 bucket setup. Here are some key points to check and potential solutions:

  1. S3 Bucket Policy: Ensure that the bucket policy you've applied matches exactly what CloudFront provided when setting up the Origin Access Control (OAC). The policy should allow the CloudFront service principal (cloudfront.amazonaws.com) to perform the s3:GetObject action on your bucket's resources. Also, verify that the AWS account ID and distribution ID in the SourceArn condition are accurate.

  2. Origin Access Control (OAC) Configuration: Double-check that the OAC is correctly set up and associated with your CloudFront distribution. The OAC should be configured to use the S3 REST API endpoint, which you've correctly specified as maliniresume.s3.us-west-1.amazonaws.com.

  3. CloudFront Distribution Settings: Verify that your distribution's origin settings are correctly pointing to the S3 REST API endpoint and that the OAC is properly linked.

  4. S3 Bucket Permissions: While you've mentioned that public access to the S3 bucket is blocked (which is correct), ensure that the bucket's ACL settings allow the bucket owner full control.

  5. Object Permissions: Check that the objects within your S3 bucket have the correct permissions for CloudFront to access them.

  6. CloudFront Cache: Although you've mentioned invalidating the cache, sometimes it can take a short while for changes to propagate. Wait a bit and try again.

  7. S3 Bucket Encryption: If your bucket uses SSE-KMS encryption, make sure the KMS key policy allows CloudFront to decrypt the objects.

  8. CloudFront Function or Lambda@Edge: If you're using any CloudFront Functions or Lambda@Edge to modify requests, ensure they're not interfering with the request to S3.

  9. CloudFront Distribution Status: Verify that your CloudFront distribution status is "Deployed" and not still in progress.

  10. Error Logs: Check both CloudFront and S3 logs for more detailed error information that might point to the specific issue.

If you've verified all these points and are still encountering the Access Denied error, you may need to engage AWS Support for further assistance. They can provide more in-depth troubleshooting based on your specific account and resource configurations.
Sources
Troubleshoot 403 Access Denied error in Amazon S3 | AWS re:Post
Troubleshooting distribution issues - Amazon CloudFront
Request for Help: Access Denied Error with CloudFront and S3 Bucket Policy | AWS re:Post
HTTP 403 status code (Permission Denied) - Amazon CloudFront

answered a year ago
EXPERT
reviewed a year ago
  • Malini Agrawal
    a year ago
    1. yes! copy past from CF policy generated. 2. it is REST endpoint, it was mentioned. 3. yes! it was mentioned also. 4. and 5. yes! 6. yes! 7. Default encryption 8. not using . 9. it is enable 10. no alarm don't turn on CF log.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content