Access Denied for AWS CloudFront connected to S3 bucket

Question

I'm getting access denied when using a CloudFront distribution connected to my S3 bucket. I'm requesting a file using the CloudFront domain e.g. https://123***.cloudfront.net/index.html. My browser shows:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>...</RequestId>
<HostId>...</HostId>
</Error>

The CloudFront log shows 403 for the request. It happens for all the website files and the files exist in the bucket.

The s3 bucket is configured with "Block all public access" on and it has a bucket policy copied and pasted from CloudFront for access to it. "S3 static website hosting" is disabled. Object Ownership is "Bucket owner enforced".

The CloudFront distribution's domain name is my S3 bucket (mybucket.s3.us-west-2.amazonaws.com) and "Origin access control settings (recommended)" is selected. The policy was created with "Sign requests (recommended)" selected.

This other question ("AWS CloudFront access to S3 bucket is denied") looks very much like what I am seeing but I'm already doing what fixed it for them. I've read several other seemingly related access denied posts without luck.

Answer 1

This turned out to be a duplicate of "AWS CloudFront access to S3 bucket is denied". The "Origin Access Identity" "Signing behavior" must be "Always sign requests". I had several origin access identities and I somehow picked the one with no signing. You can view and edit your Origin Access Identities in the cloudfront console at the top level under Security > Origin access.