# AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the origin returned a 403 Forbidden response.

- **ID:** `policy/cloudfront-origin-access-identity-s3-bucket-policy-mismatch`
- **Domain:** policy
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 95%

## Root Cause

The S3 bucket policy does not grant read access to the CloudFront Origin Access Identity (OAI), causing CloudFront to receive a 403 when fetching objects.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| CloudFront 2023-12-01 | active | — | — |
| S3 Standard | active | — | — |

## Workarounds

1. **Update the S3 bucket policy to allow CloudFront OAI: {"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}** (95% success)
   ```
   Update the S3 bucket policy to allow CloudFront OAI: {"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
   ```
2. **Use an Origin Access Control (OAC) instead of OAI for newer CloudFront distributions, which provides more granular permissions.** (90% success)
   ```
   Use an Origin Access Control (OAC) instead of OAI for newer CloudFront distributions, which provides more granular permissions.
   ```

## Dead Ends

- **** — Public bucket exposes all objects to the internet, violating security policies and potentially causing data leaks. (90% fail)
- **** — While it might work, it bypasses the OAI restriction and allows any AWS user to read objects, which is a security risk. (85% fail)
- **** — This removes the security benefit of OAI and may cause other policy violations in environments requiring private origins. (80% fail)