# 访问被拒绝：无法满足请求。CloudFront 尝试与源建立连接，但源返回了 403 Forbidden 响应。

- **ID:** `policy/cloudfront-origin-access-identity-s3-bucket-policy-mismatch`
- **领域:** policy
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 95%

## 根因

S3 存储桶策略未授予 CloudFront 源访问身份 (OAI) 读取权限，导致 CloudFront 在获取对象时收到 403 错误。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| CloudFront 2023-12-01 | active | — | — |
| S3 Standard | active | — | — |

## 解决方案

1. ```
   更新 S3 存储桶策略以允许 CloudFront OAI：{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1234567890ABC"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
   ```
2. ```
   对于较新的 CloudFront 分配，使用源访问控制 (OAC) 代替 OAI，以提供更细粒度的权限。
   ```

## 无效尝试

- **** — Public bucket exposes all objects to the internet, violating security policies and potentially causing data leaks. (90% 失败率)
- **** — While it might work, it bypasses the OAI restriction and allows any AWS user to read objects, which is a security risk. (85% 失败率)
- **** — This removes the security benefit of OAI and may cause other policy violations in environments requiring private origins. (80% 失败率)