{ "id": "policy/cloudfront-origin-access-identity-s3-bucket-policy-mismatch", "signature": "AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the origin returned a 403 Forbidden response.", "signature_zh": "访问被拒绝:无法满足请求。CloudFront 尝试与源建立连接,但源返回了 403 Forbidden 响应。", "regex": "AccessDenied: The request could not be satisfied.*origin returned a 403 Forbidden response", "domain": "policy", "category": "auth_error", "subcategory": null, "root_cause": "The S3 bucket policy does not grant read access to the CloudFront Origin Access Identity (OAI), causing CloudFront to receive a 403 when fetching objects.", "root_cause_type": "generic", "root_cause_zh": "S3 存储桶策略未授予 CloudFront 源访问身份 (OAI) 读取权限,导致 CloudFront 在获取对象时收到 403 错误。", "versions": [ { "version": "CloudFront 2023-12-01", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "S3 Standard", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Public bucket exposes all objects to the internet, violating security policies and potentially causing data leaks.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "While it might work, it bypasses the OAI restriction and allows any AWS user to read objects, which is a security risk.", "fail_rate": 0.85, "condition": "", "sources": [] }, { "action": "", "why_fails": "This removes the security benefit of OAI and may cause other policy violations in environments requiring private origins.", "fail_rate": 0.8, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Update the S3 bucket policy to allow CloudFront OAI: {\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC\"}, \"Action\": \"s3:GetObject\", \"Resource\": \"arn:aws:s3:::my-bucket/*\"}", "success_rate": 0.95, "how": "Update the S3 bucket policy to allow CloudFront OAI: {\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC\"}, \"Action\": \"s3:GetObject\", \"Resource\": \"arn:aws:s3:::my-bucket/*\"}", "condition": "", "sources": [] }, { "action": "Use an Origin Access Control (OAC) instead of OAI for newer CloudFront distributions, which provides more granular permissions.", "success_rate": 0.9, "how": "Use an Origin Access Control (OAC) instead of OAI for newer CloudFront distributions, which provides more granular permissions.", "condition": "", "sources": [] } ], "workarounds_zh": [ "更新 S3 存储桶策略以允许 CloudFront OAI:{\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC\"}, \"Action\": \"s3:GetObject\", \"Resource\": \"arn:aws:s3:::my-bucket/*\"}", "对于较新的 CloudFront 分配,使用源访问控制 (OAC) 代替 OAI,以提供更细粒度的权限。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.95, "resolvable": "true", "first_seen": "2024-06-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }