I just want to give an update. I was able to figure out the problem. It seems that the 404 failover was not taking place. In the response from origin group it had a 403 forbidden reply from "AmasonS3". Digging into that I found this nugget of information:
"If a user doesn’t have s3:ListBucket permissions, then the user gets Access Denied errors for missing objects instead of 404 Not Found errors. Run the head-object AWS CLI command to check if an object exists in the bucket."
I was able to test that the 403 was from the S3 origin and not failing over by setting an additional origin group failover criteria to include a 403 response. This initially routed to my custom origin.
However, to ensure the correct reason for failing over was due to 404 and not a misconfigured permission, I added the s3:ListBucket permission , removed the 403 criteria, and the failover from s3 origin to custom origin on a 404 works correclty.
TL;DR -- Make sure CF has not only s3:GetObject permissions on the S3 origin bucket, but also s3:ListBucket permissions.
- asked 2 years ago
- I set custom object caching on my CloudFront distribution. Why is my distribution using the cache settings of my origin?AWS OFFICIALUpdated 2 years ago
- I can use my application from a custom origin (EC2 instance or load balancer), but it fails on CloudFront. Why?AWS OFFICIALUpdated 2 years ago
- I’m using an S3 website endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?AWS OFFICIALUpdated a year ago