访问被拒绝:无法满足请求。CloudFront 尝试与源建立连接,但源返回了 403 Forbidden 响应。
AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the origin returned a 403 Forbidden response.
ID: policy/cloudfront-origin-access-identity-s3-bucket-policy-mismatch
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| CloudFront 2023-12-01 | active | — | — | — |
| S3 Standard | active | — | — | — |
根因分析
S3 存储桶策略未授予 CloudFront 源访问身份 (OAI) 读取权限,导致 CloudFront 在获取对象时收到 403 错误。
English
The S3 bucket policy does not grant read access to the CloudFront Origin Access Identity (OAI), causing CloudFront to receive a 403 when fetching objects.
官方文档
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html解决方案
-
更新 S3 存储桶策略以允许 CloudFront OAI:{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"} -
对于较新的 CloudFront 分配,使用源访问控制 (OAC) 代替 OAI,以提供更细粒度的权限。
无效尝试
常见但无效的做法:
-
90% 失败
Public bucket exposes all objects to the internet, violating security policies and potentially causing data leaks.
-
85% 失败
While it might work, it bypasses the OAI restriction and allows any AWS user to read objects, which is a security risk.
-
80% 失败
This removes the security benefit of OAI and may cause other policy violations in environments requiring private origins.