Reputation: 5030
The first bucket, something-cf-validate-origin-primary-devops, have index.html in the root of the S3 bucket with content,
<html>
<body>
Home page
</body>
</html>
The second bucket, something-cf-validate-origin-failover-devops, have index.html in the root of the S3 bucket.
<html>
<body>
Maintenance page
</body>
</html>
Both the S3 buckets have static web hosting enable and publicly accessible with the endpoint.
Cloudfront Distribution contains two Origins.
Origin group as below,
Behavior is pointing to the Origin group,
Cloudfront's Default Root Object is set to index.html
When I hit the Cloudfront Distribution's Domain Name I am getting the "Home Page".
When I rename index.html to index-disable.html in the first bucket, I should get "Maintenance Page" as because Cloudfront failover should serve the page from second bucket since it got 404 from the first bucket.
But I am getting "Access Denied" when I rename index.html to index-disable.html.
Upvotes: 1
Views: 747
Reputation: 35258
The status you're getting is a 403.
From the AWS documentation
Check if the requested object exists in the bucket. If a user doesn’t have s3:ListBucket permissions, then the user gets Access Denied errors for missing objects instead of 404 Not Found errors. Run this AWS CLI command to check if an object exists in the bucket
The user in this case is the Bucket Policy, so that would need to grant the s3:ListBucket
permission.
It may be easier for 403 to also have it failover.
Upvotes: 3