- Newest
- Most votes
- Most comments
Hello.
I've also seen the same error in the past.
At that time, the cause was that the Host header was being added to the cache key of CloudFront's origin request.
Adding a Host header forwards the Host header to the origin.
If you set up S3 in Origin, the HOST header is used to identify the S3 bucket.
The HOST header when making a request from CloudFront to S3 was overwritten by the HOST header of the client request, and as a result, the S3 bucket could not be found and an error occurred.
Therefore, it may be a good idea to check how the cache keys etc. are set in CloudFront.
S3 bucket, enabling the static hosting,
By the way, if you're using CloudFront, you don't need to enable S3 static hosting.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
CloudFront and S3 can be created using the CloudFormation below.
If you upload index.html to the created S3 and access it with the CloudFront domain, the website will be displayed.
AWSTemplateFormatVersion: "2010-09-09"
Description: Static contents distribution using S3 and CloudFront.
Parameters:
CachePolicy:
Description: Change this if you want to specify a cache policy.
Type: String
Default: CachingOptimized
AllowedValues:
- CachingOptimized
- CachingDisabled
- CachingOptimizedForUncompressedObjects
- Elemental-MediaPackage
- Amplify
Mappings:
CachePolicyIds:
CachingOptimized:
Id: 658327ea-f89d-4fab-a63d-7e88639e58f6
CachingDisabled:
Id: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad
CachingOptimizedForUncompressedObjects:
Id: b2884449-e4de-46a7-ac36-70bc7f1ddd6d
Elemental-MediaPackage:
Id: 08627262-05a9-4f76-9ded-b50ca2e3a84f
Amplify:
Id: 2e54312d-136d-493c-8eb9-b001f22f67d2
Resources:
# S3 bucket contains static contents
AssetsBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
# S3 bucket policy to allow access from CloudFront OAI
AssetsBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref AssetsBucket
PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Resource: !Sub ${AssetsBucket.Arn}/*
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${AssetsDistribution}
- Effect: Deny
Principal: '*'
Action: 's3:*'
Resource:
- !Sub ${AssetsBucket.Arn}/*
- !GetAtt AssetsBucket.Arn
Condition:
Bool:
aws:SecureTransport: false
# CloudFront Distribution for contents delivery
AssetsDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: S3Origin
DomainName: !GetAtt AssetsBucket.DomainName
S3OriginConfig:
OriginAccessIdentity: ''
OriginAccessControlId: !GetAtt CloudFrontOriginAccessControl.Id
Enabled: true
DefaultRootObject: index.html
Comment: !Sub ${AWS::StackName} distribution
DefaultCacheBehavior:
CachePolicyId: !FindInMap [ CachePolicyIds, !Ref CachePolicy , Id ]
TargetOriginId: S3Origin
ViewerProtocolPolicy: redirect-to-https
HttpVersion: http2
ViewerCertificate:
CloudFrontDefaultCertificate: true
IPV6Enabled: false
CloudFrontOriginAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Description: Default Origin Access Control
Name: !Ref AWS::StackName
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
Outputs:
URL:
Value: !Join [ "", [ "https://", !GetAtt AssetsDistribution.DomainName ]]
