OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

AWS CloudFront access to S3 through OAC returns Access Denied

  • Thread starter Thread starter rexcision
  • Start date Start date
R

rexcision

Guest
I have a static website hosted on an S3 bucket. I initially had the bucket fully public and set as a static website hosting while testing cloudfront out and everything worked fine, I accessed the site through my alternate domain perfectly. However I now want to limit the S3 file accessibility and only allow access through cloudfront, but am getting Access Denied after following various tutorials.

So i followed: https://repost.aws/knowledge-center/cloudfront-serve-static-website which also follows a few other tutorials I have read since, and they all say the same thing for the OAC process but I am getting Access Denied when trying to access my website.

So I have my S3 bucket with public access now fully disabled and static website hosting disabled now as well, I made a cloudfront origin access control setting with 'sign requests' and S3 as origin type, and in my cloudfront origins i chose my S3 bucket from the origin domain, selected origin access control and chose my origin access i just created from the list, i left enable origin shield disabled, copied the S3 policy it creates and selected save changes. I then go to my S3 bucket that i selected from that origin and paste it into the policy field. so it looks like this (replaced my account info with dummy data but in the actual policy i have confirmed its correct):

Code:
{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::examplebucketid/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::11736596049:distribution/E1OS67E245W70W"
                }
            }
        }
    ]
}

If I go to my cloudfront origins tab i can see that the origin domain is my S3 bucket and the origin access is the id of the access control i just setup.

On S3 I have Object Ownership - Bucket owner enforced, static website hosting is disabled, and i do have CORS set-up but I have tried without them as well. Just for reference though they're currently:

Code:
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]

Its default behaviour has the S3 bucket chosen as origin, and redirects HTTP to HTTPS. The distributions default root object is also /index.html which is properly uploaded to the S3 bucket, and was working before setting S3 to private.

I have looked around and followed tutorials, and have even tried from fresh S3 and cloudfront distribution instances but I get the same result of access denied. I also tried using OAI instead and letting CloudFront update my S3 policy itself but was still getting Access Denied. I do wait for any cloudfront changes to be fully deployed before testing as well but same result.

Anything stick out that I need to change or can check? I've been looking for a few hours and every tutorial or other post I have seen is from an old version of the AWS interface where the options aren't the same, or simply shows what I followed except theirs worked.
<p>I have a static website hosted on an S3 bucket. I initially had the bucket fully public and set as a static website hosting while testing cloudfront out and everything worked fine, I accessed the site through my alternate domain perfectly. However I now want to limit the S3 file accessibility and only allow access through cloudfront, but am getting Access Denied after following various tutorials.</p>
<p>So i followed: <a href="https://repost.aws/knowledge-center/cloudfront-serve-static-website" rel="nofollow noreferrer">https://repost.aws/knowledge-center/cloudfront-serve-static-website</a> which also follows a few other tutorials I have read since, and they all say the same thing for the OAC process but I am getting Access Denied when trying to access my website.</p>
<p>So I have my S3 bucket with public access now fully disabled and static website hosting disabled now as well, I made a cloudfront origin access control setting with 'sign requests' and S3 as origin type, and in my cloudfront origins i chose my S3 bucket from the origin domain, selected origin access control and chose my origin access i just created from the list, i left enable origin shield disabled, copied the S3 policy it creates and selected save changes. I then go to my S3 bucket that i selected from that origin and paste it into the policy field. so it looks like this (replaced my account info with dummy data but in the actual policy i have confirmed its correct):</p>
<pre><code>{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucketid/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::11736596049:distribution/E1OS67E245W70W"
}
}
}
]
}
</code></pre>
<p>If I go to my cloudfront origins tab i can see that the origin domain is my S3 bucket and the origin access is the id of the access control i just setup.</p>
<p>On S3 I have Object Ownership - Bucket owner enforced, static website hosting is disabled, and i do have CORS set-up but I have tried without them as well. Just for reference though they're currently:</p>
<pre><code>[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"HEAD"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 3000
}
]
</code></pre>
<p>Its default behaviour has the S3 bucket chosen as origin, and redirects HTTP to HTTPS. The distributions default root object is also /index.html which is properly uploaded to the S3 bucket, and was working before setting S3 to private.</p>
<p>I have looked around and followed tutorials, and have even tried from fresh S3 and cloudfront distribution instances but I get the same result of access denied. I also tried using OAI instead and letting CloudFront update my S3 policy itself but was still getting Access Denied. I do wait for any cloudfront changes to be fully deployed before testing as well but same result.</p>
<p>Anything stick out that I need to change or can check? I've been looking for a few hours and every tutorial or other post I have seen is from an old version of the AWS interface where the options aren't the same, or simply shows what I followed except theirs worked.</p>
Continue reading...
 

Latest posts

A
Replies
0
Views
1
Alfredo Augusto Petri
A
Top