# AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the origin returned a 403 error. - **ID:** `policy/cloudfront-s3-origin-access-identity-invalid` - **Domain:** policy - **Category:** auth_error - **Error Code:** `AccessDenied` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause CloudFront distribution's origin access identity (OAI) is not granted the required S3 bucket policy permissions to read objects, causing the origin to reject the request. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | AWS CloudFront 2024-03 | active | — | — | | AWS S3 2024-03 | active | — | — | ## Workarounds 1. **Attach a bucket policy that grants s3:GetObject to the CloudFront OAI. Example: aws s3api put-bucket-policy --bucket my-bucket --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}'** (90% success) ``` Attach a bucket policy that grants s3:GetObject to the CloudFront OAI. Example: aws s3api put-bucket-policy --bucket my-bucket --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}' ``` 2. **Use an Origin Access Control (OAC) instead of OAI, which requires a bucket policy with the OAC's canonical user ID.** (85% success) ``` Use an Origin Access Control (OAC) instead of OAI, which requires a bucket policy with the OAC's canonical user ID. ``` 3. **Verify the OAI is correctly associated with the CloudFront distribution's origin and the bucket policy references the correct OAI ARN.** (80% success) ``` Verify the OAI is correctly associated with the CloudFront distribution's origin and the bucket policy references the correct OAI ARN. ``` ## Dead Ends - **** — This opens the bucket to the public, which violates security policies and may still not work if the OAI is not the specific principal. (70% fail) - **** — Public access is not recommended and doesn't solve the OAI trust issue; the bucket policy must explicitly allow the OAI. (50% fail) - **** — The root cause is the missing bucket policy, not the distribution setup. (80% fail)