CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-cloudfront
Aidas
Aidas

Reputation: 1249

S3 via CloudFront always gives me AccessDenied message

As much as it's easy to set up Amazon Cloudfront for custom origins, it is giving me a hard time in setting it up for S3 origins.

Regardless how I change my settings, when trying to access S3 object via CloudFront, it gives me AccessDenied message.

I'm using CloudFront for a full site delivery. So the URL I intend to use and the one I'm getting AWS AccessDenied message on is:

http://www.mydomainname.com/imagefile/live/media/medium/06904976c744edf870db308a08320284.JPG

The direct S3 URL for the object is below and it works fine: https://s3-eu-west-1.amazonaws.com/my-s3-bucket-name/live/media/medium/06904976c744edf870db308a08320284.JPG

Cloudfront Origin Settings:

Cloudfront Origin Settings:

Cloufront Behaviour Settings: Cloufront Behaviour Settings:

S3 Policy (of course instead of "my-s3-bucket-name" there is a real bucket name used).

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-s3-bucket-name/live/bk/*"
        },
        {
            "Sid":" Grant a CloudFront Origin Identity access to support private content",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-s3-bucket-name/live/media/medium/*",
                "arn:aws:s3:::my-s3-bucket-name/live/media/thumb/*",
                "arn:aws:s3:::my-s3-bucket-name/live/media/thumb_v2/*"
            ]
        }
    ]
}

The filename used in the URL itself has "Everyone" as a grantee with open/download permissions.

Can somebody spot where the issue is?

Upvotes: 3

Views: 11959

Answers (1)

imperalix
imperalix

Reputation: 3741

The paths you requesting aren't the same, can you try requesting the same path you used directly to s3 but with the CloudFront provided DNS name?

CloudFront: /imagefile/live/media/medium/06904976c744edf870db308a08320284.JPG

S3: /live/media/medium/06904976c744edf870db308a08320284.JPG

Upvotes: 2

Related Questions