403 Forbidden when visiting my website-url via CloudFront

0
votes

I am using CloudFront in combination with a S3-bucket.

When I access my CloudFront-domain (d4...cloudfront.net) directly, everything works fine and I can see my website + SSL-certificate.

But when I access my website-url, I get an 403 Forbidden-message (An Error Occurred While Attempting to Retrieve a Custom Error Document).

This is the error I get: enter image description here

This is the response-header: enter image description here

What I tried so far:

  • When I created the CloudFront-distribution, I selected "Origin Access Identity: Create a new Identity" and "Update Bucket Policy"
  • I added a Custom Error Page, which returns StatusCode 200 and /index.html as the respone page

My S3 bucket is not public, because I only want my CloudFront to access the S3-Bucket with this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin 
                Access Identity ..."
           },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::www.../*"
        }
    ]
}
1
amazon-web-servicesamazon-s3amazon-cloudfrontamazon-route53
Please show the exact error, headers and body.Michael - sqlbot
thanks for the advice, I just added the error-message and the headerrob_87
The error is from S3. Your error message is HTML, not XML, which means you are using the web site endpoint of the bucket, not the REST endpoint. An Origin Access Identity only works with REST endpoints.Michael - sqlbot
does it mean I have to change the origin domain name of my CloudFront-configuration? Where can I find the REST-endpoint of my S3-bucket ?rob_87
Yes, you'll need to change it. Create a new origin and start typing the bucket name, and you should be able to then select the bucket from the drop-down list. This is the REST endpoint. Then change the Cache Behaviors to use the new origin.Michael - sqlbot

1 Answers

3
votes

You will want to setup Origin Access Identity. This allows you to keep your bucket private and only allow access thru CloudFront. This is very easy to setup. I have included two links to walk you thru the steps and to help you understand everything.

enter link description here

Serving Private Content through CloudFront

This StackOverflow Q/A will help you also. Review the answer by "Michael - sqlbot".

Relationship between Origin Access Identities and CloudFront Signed Urls