Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CloudFront returns "AccessDenied" when connecting to S3 static website

0

Hello, I tried to connect my S3 static website to CloudFront, but when I access the CloudFront domain, I get this message:

<Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> </Error>

I already:

Enabled “Origin access control (OAC)”

Added the bucket policy to allow CloudFront access

Set the default root object to index.html

Still, it shows “Access Denied”. Could you please tell me what might be wrong or what to check next?

Thank you in advance!

Topics
StorageNetworking & Content Delivery
Tags
Amazon CloudFrontAmazon S3 Access Grants
Language
English
asked 3 months ago83 views
1 Answer
0

The "Access Denied" error you're experiencing is likely due to a mismatch between your CloudFront distribution configuration and your S3 bucket setup. Here are the most common causes and solutions:

  1. S3 Website Endpoint vs. S3 REST API Endpoint If you're using the S3 website endpoint (bucket-name.s3-website-region.amazonaws.com) as your origin in CloudFront, you cannot use Origin Access Control (OAC). When using an S3 bucket configured as a website endpoint, it's considered a custom origin for CloudFront, and OAC doesn't work with custom origins.

You have two options:

  • If you need S3 website features (like index documents or custom error pages), you'll need to disable OAC and make your bucket publicly accessible, or implement authentication at the CloudFront level using CloudFront Functions or Lambda@Edge.
  • If you don't need S3 website features, use the S3 REST API endpoint (bucket-name.s3.region.amazonaws.com) as your origin and keep OAC enabled.
  1. Bucket Policy Configuration If you're using the S3 REST API endpoint with OAC, ensure your bucket policy includes:
{
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::your-account-id:distribution/your-distribution-id"
}
}
}
  1. Static Website Hosting and OAC If you're trying to use both static website hosting and OAC, they're incompatible. You need to choose one approach:
  • Use S3 website hosting without OAC (requires public bucket access)
  • Use S3 REST API endpoint with OAC (doesn't support website features like default index documents)

  1. Check Origin Domain Name Format Make sure you're using the correct format for your origin domain name in CloudFront, depending on which approach you're taking.

  2. Verify Object Permissions Ensure the objects in your bucket have the necessary permissions.

After making these changes, you may need to wait for the CloudFront distribution to deploy before testing again.
Sources
Troubleshoot access denied (403 Forbidden) errors in Amazon S3 - Amazon Simple Storage Service
Access Denied for CloudFront to S3 static site | AWS re:Post
Access Denied for CloudFront to S3 | AWS re:Post
Cloudfront cannot access s3 bucket | AWS re:Post
HTTP 403 status code (Permission Denied) - Amazon CloudFront

answered 3 months ago
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content