AWS Cloudfront Origin Failover with S3 buckets in same region

1
votes

The first bucket, something-cf-validate-origin-primary-devops, have index.html in the root of the S3 bucket with content,

<html>
<body>
Home page
</body>
</html>

The second bucket, something-cf-validate-origin-failover-devops, have index.html in the root of the S3 bucket.

<html>
<body>
Maintenance page
</body>
</html>

Both the S3 buckets have static web hosting enable and publicly accessible with the endpoint.

Cloudfront Distribution contains two Origins.

enter image description here

Origin group as below,

enter image description here

Behavior is pointing to the Origin group,

enter image description here

Cloudfront's Default Root Object is set to index.html

When I hit the Cloudfront Distribution's Domain Name I am getting the "Home Page".

When I rename index.html to index-disable.html in the first bucket, I should get "Maintenance Page" as because Cloudfront failover should serve the page from second bucket since it got 404 from the first bucket.

But I am getting "Access Denied" when I rename index.html to index-disable.html.

1
amazon-web-servicesamazon-s3amazon-cloudfrontfailover

1 Answers

2
votes

The status you're getting is a 403.

From the AWS documentation

Check if the requested object exists in the bucket. If a user doesn’t have s3:ListBucket permissions, then the user gets Access Denied errors for missing objects instead of 404 Not Found errors. Run this AWS CLI command to check if an object exists in the bucket

The user in this case is the Bucket Policy, so that would need to grant the s3:ListBucket permission.

It may be easier for 403 to also have it failover.