policy auth_error ai_generated true

AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the origin returned a 403 Forbidden response.

ID: policy/cloudfront-origin-access-identity-s3-bucket-policy-mismatch

Also available as: JSON · Markdown · 中文
95%Fix Rate
88%Confidence
1Evidence
2024-06-10First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
CloudFront 2023-12-01 active
S3 Standard active

Root Cause

The S3 bucket policy does not grant read access to the CloudFront Origin Access Identity (OAI), causing CloudFront to receive a 403 when fetching objects.

generic

中文

S3 存储桶策略未授予 CloudFront 源访问身份 (OAI) 读取权限,导致 CloudFront 在获取对象时收到 403 错误。

Official Documentation

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Workarounds

  1. 95% success Update the S3 bucket policy to allow CloudFront OAI: {"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"} 
    Update the S3 bucket policy to allow CloudFront OAI: {"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
  2. 90% success Use an Origin Access Control (OAC) instead of OAI for newer CloudFront distributions, which provides more granular permissions. 
    Use an Origin Access Control (OAC) instead of OAI for newer CloudFront distributions, which provides more granular permissions.

中文步骤

  1. 更新 S3 存储桶策略以允许 CloudFront OAI:{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
  2. 对于较新的 CloudFront 分配,使用源访问控制 (OAC) 代替 OAI,以提供更细粒度的权限。

Dead Ends

Common approaches that don't work:

  1. 90% fail

    Public bucket exposes all objects to the internet, violating security policies and potentially causing data leaks.

  2. 85% fail

    While it might work, it bypasses the OAI restriction and allows any AWS user to read objects, which is a security risk.

  3. 80% fail

    This removes the security benefit of OAI and may cause other policy violations in environments requiring private origins.