AWS S3+Cloudfront access denied beginner question

Question

I am having a small problem with my first time using cloudfront + s3. I just want to access my image via cloudfront. On S3, I have blocked all public access. Cloudfront origin is set to the S3 bucket.

The problem is when I am now trying to access my image via the cloudfront domain name.

XXX.cloudfront.net/folder/image.jpg

I get the error

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>

However, if I set the public access on the s3 bucket

Block public and cross-account access to buckets and objects through any public bucket or access point policies
S3 will ignore public and cross-account access for buckets or access points with policies that grant public access to buckets and objects.

Then i can view the image from the cloudfront link. is it possible to view the cloudfront image without having public access on?

Answer 1

When you make your S3 objects private, they become inaccessible to the public—but CloudFront is no longer able to access them either. That is why you receive a 403 error. In order for this to work, you need to give CloudFront permission to access those private objects. You can do this by creating an Origin Access Identity, then setting the appropriate permissions on the S3 bucket so CloudFront is able to read the private objects.

Here are step-by-step instructions on how to do set this up in the CloudFront console: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-creating-oai-console