0

I have setup cloudfront through AWS console. Somehow cloudfront is not able to access the Amazon S3 objects and throws 403 response error.

I believe this is a s3 bucket policy issue. Below is my current bucket ploicy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xyz/*"
        },
 ] 
 }

Can you help how can I modify my existing bucket policy so that cloudfront can access s3 objects?

EDIT: adding the s3 origin point snapshot

enter image description here

adding general params

enter image description here

adding the headers of the request:

2016-11-22  09:55:38    DEL51   878 119.82.78.98    GET d3k1wzyp6coxxx.cloudfront.net   /4e6a9d2f3df2bdba96396879208214.png 403 -   Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/54.0.2840.99%2520Safari/537.36    -   -   Error   EEEcSuKU1YPrpxQ_jIqaaUfKCydhG6dlIbt9_MLmxeGvwUooJYdTrw==    d3k1wzyp6coxxx.cloudfront.net   http    420 0.000   -   -   -   Error   HTTP/1.1
2016-11-22  09:55:38    DEL51   878 119.82.78.98    GET d3k1wzyp6cxxx.cloudfront.net    /favicon.ico    403 http://d3k1wzyp6coxxx.cloudfront.net/4e6a9d2f3df2bdba96396879208214.png Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/54.0.2840.99%2520Safari/537.36    -   -   Error   XXnzzYHG8-Vr-pc40tTd0sl46ASu_txv_S_SdTc2T70I46WrHMmEsQ==    d3k1wzyp6coxxx.cloudfront.net   http    378 0.001   -   -   -   Error   HTTP/1.1
smac2020
  • 9,637
  • 4
  • 24
  • 38
Manish Kumar
  • 1,419
  • 3
  • 17
  • 36
  • That Amazon S3 bucket policy looks adequate. Could you please update your Question to also show how you have configured your CloudFront Distribution to point to your S3 bucket as an Origin? – John Rotenstein Nov 22 '16 at 11:41
  • @JohnRotenstein: added the configurations – Manish Kumar Nov 22 '16 at 12:21
  • @ManishKumar can you add the configurations for your origins in the question also? – filipebarretto Nov 22 '16 at 13:08
  • Do I need to add something else as well? – Manish Kumar Nov 22 '16 at 15:15
  • Just thought I'd mention [Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) that is normally used to grant S3 access to CloudFront while blocking other traffic. You are granting total access to your S3 bucket - so it isn't required in your situation, but it's still worth knowing about. – John Rotenstein Nov 22 '16 at 19:45
  • If this content should be public, please verify in `Behaviors` that [`Restrict Viewer Access`](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesRestrictViewerAccess) is set to `No` (otherwise Access Denied is the *expected* behavior). Then please capture the `403 Forbidden` response headers *and body* and add to the question. – Michael - sqlbot Nov 23 '16 at 01:12
  • added the headers – Manish Kumar Nov 23 '16 at 07:38

0 Answers0