1

I've read through several similar issues, but they differ in that

  1. This isn't a website, just CDN for images
  2. I have no subdirectories

I was notified by our marketing dept that some of our photos weren't serving. I went to the actual CloudFront URL and I get a 403 Forbidden. Typically this means the Everyone permission is wrong, so I went to the AWS console and checked the S3 bucket. The image had a proper Everyone - Read permission. Just for kicks, I removed the permission and re-added. Still 403. I expired it out of CloudFront thinking maybe cache was the issue. Still 403.

Other images in the same bucket are served just fine (so it doesn't seem to be bucket permissions), and it's just a handful of old ones doing this. I'm to the point of removing and re-adding them just to see if that fixes it, but I was wondering if there was some other way to diagnose or fix the issue.

Machavity
  • 846
  • 10
  • 26
  • Have you checked the object permissions?Check * Who owns the S3 object * Are there ACLs on the bucket? These are different from S3 permissions. – M. Glatki May 14 '18 at 12:19
  • Who owns the S3 object is irrelevant. An `Everyone - Read` permission is what is needed to read from CloudFront. And, as I said, the bucket permissions seem to be correct. This only affects a handful of older files, not the entire bucket. – Machavity May 14 '18 at 20:02
  • 1
    Who owns an S3 object is not irrelevant. It could easily belong to another account denying the S3 bucket owners account acces. Also, I asked for ACL information not S3 bucket permissions. – M. Glatki May 15 '18 at 09:34
  • Ah, I should have explained that better then. There's only one user for the account and everything is owned by that one user. `Everyone` does not have ACL to the bucket itself (List, etc) – Machavity May 15 '18 at 12:32
  • Hm, could you add the CloudFront configuration, i.e. the output of aws cloudfront get-distribution-config? – M. Glatki May 16 '18 at 12:16
  • @Machavity is this from a single distribution? Signed URLs enabled in another distribution? Did you try making copy of that image and see if that is working? – Narain May 17 '18 at 06:46
  • Do you use Server-Side encryption at all? If you do and some objects are encrypted and others aren't, the access denied could be that you don't have access to the encryption key, rather than not having access to the S3 object – Chris Denning Jan 31 '19 at 10:46
  • @ChrisDenning Good idea, but the bucket is not encrypted. – Machavity Jan 31 '19 at 13:14

0 Answers0