Why do I receive 403 Access Denied when I use an S3 REST API origin in my CloudFront distribution?

00:00

[Music]

00:01

[Applause]

00:02

[Music]

00:08

hello I'm Aaron the cloud support

00:09

engineer here at AWS today I'm going to

00:12

show you how to identify and resolve

00:15

Amazon cloudfront 403 access denied

00:18

errors when you use an Amazon simple

00:20

storage service S3 rest API origin let's

00:25

get

00:26

started how do I identify my S3 bucket

00:30

Origins endpoint type there are two ways

00:33

that you can configure an Amazon S3

00:36

bucket as a cloudfront origin either as

00:38

the bucket's rest API endpoint or the

00:41

bucket's website endpoint follow along

00:44

with me in the AWS Management console to

00:46

confirm your S3 origin

00:49

type open the cloudfront

00:52

console select the cloudfront

00:54

distribution whose origin you want to

00:57

check choose the origins tab

01:01

note the origin domain value for the S3

01:04

origin if the value is similar to

01:08

example bucket. s3. region.

01:12

amazonaws.com or example bucket. s3.

01:16

Amazon aws.com then this indicates that

01:19

the origin is an S3 buckets rest API

01:22

endpoint if the value is instead similar

01:26

to example bucket. s3- website -

01:31

us-- one. Amazon aws.com then this

01:35

indicates that the origin is an S3

01:37

buckets website end

01:39

point if you're experiencing 403 access

01:43

denied errors with an S3 website origin

01:46

visit our repost discussion on the topic

01:49

to understand the differences between

01:51

accessing S3 website endpoints and

01:53

accessing rest API

01:56

endpoints what if I'm using an origin

01:59

access ACC control when you use an S3

02:02

rest API origin within a cloudfront

02:05

distribution the distribution must have

02:07

sufficient access to the buckets objects

02:10

to configure access you can use either

02:12

An Origin Access Control OAC or in

02:16

origin access identity oi you can also

02:19

authenticate requests using AWS

02:22

signature V4 or make the objects

02:24

publicly accessible for most use cases

02:27

where a cloudfront distribution must

02:29

access an S3 rest API origin it's a best

02:33

practice to use an

02:35

OAC here's how to create a new OAC in

02:38

the AWS Management console open the

02:41

cloudfront

02:43

console under security choose origin

02:48

access under the default control

02:51

settings tab choose create control

02:55

setting enter a name for your OAC

03:00

optionally you can enter a

03:03

description under settings make sure

03:06

that sign requests recommended is

03:08

selected for the signing Behavior if

03:11

your OAC is set to do not sign requests

03:14

then cloudfront can't access the S3

03:16

bucket which causes a 403 error if your

03:20

client applications can sign requests

03:23

and your use case involves toggling

03:25

between client signed and cloudfront

03:28

signed authorization headers

03:30

then you can also select do not override

03:33

authorization header for most use cases

03:36

you don't need to turn on this feature

03:39

I'll keep it

03:40

unselected make sure that your origin

03:43

type is set to S3 choose

03:46

create remember that for an OAC

03:49

configuration you must always set

03:51

signing Behavior to always sign requests

03:55

otherwise cloudfront can't sign requests

03:57

that are made against your S3 rest API

04:00

origin and you will receive a 403 access

04:03

denied

04:05

error what if my bucket contains objects

04:08

that are encrypted with AWS KMS if your

04:12

S3 rest API origin has objects that are

04:16

encrypted with AWS Key Management

04:18

Service and you're using an oai for your

04:21

distribution then you must instead use

04:24

an OAC so that cloudfront can properly

04:27

sign requests to S3 for en crypted

04:30

objects you must also update the KMS key

04:33

policy to Grant the OAC permission to

04:36

use the key such as in the following

04:38

policy from my own

04:42

key let's go to KMS together make sure

04:46

customer manage keys are selected for

04:48

this scenario and then select the key in

04:51

question once the key in question is

04:54

selected edit its key

04:57

policy and ensure that the policy shown

05:00

on the screen is implemented using your

05:03

account

05:06

information you can also use an origin

05:09

request Lambda Edge function to serve

05:12

objects from KMS encrypted S3 rest API

05:16

Origins more information about how to

05:19

use this function including sample code

05:22

see our Solutions architect blog post

05:24

for more information to confirm whether

05:26

your objects are encrypted you can

05:28

either check your buckets properties to

05:30

see if AWS KMS is selected for

05:32

encryption or use the AWS command line

05:35

interface to run a head object command

05:37

against an object in your

05:40

bucket let's navigate the S3 to check

05:42

our

05:45

bucket select the KMS encrypted

05:49

bucket navigate to

05:51

properties scroll down to its default

05:54

encryption

05:55

setting if the encryption types as

05:57

server side encryption with Amazon S3

06:00

manage Keys then your bucket is

06:03

encrypted by default if you would

06:05

instead like to verify using the AWS CLI

06:10

let's navigate to

06:12

cloudshell if the output from the

06:14

following AWS CLI command shows AWS KMS

06:18

for serers side encryption then your

06:21

object is encrypted as you can see in my

06:23

output the server side encryption output

06:27

field is set to awmf

06:30

showing that my buckets index.html file

06:34

was

06:36

encrypted how do I confirm my bucket

06:39

policy when I use an OAC or oai when you

06:43

create and Associate an OAC with your

06:46

cloudfront distribution the necessary

06:49

bucket policy is generated for you if

06:52

you didn't copy the policy when you

06:54

created your distribution or you want to

06:56

confirm your current policy then use the

06:59

example policy shown

07:03

below I will also walk with you in

07:06

creating an OAC distribution let's start

07:10

by navigating the cloud front next let's

07:13

click on create

07:16

distribution under origin domain select

07:19

a S3 rest API bucket under origin access

07:25

select origin access control settings

07:28

recommended under origin Access Control

07:32

select your origin access

07:35

control the rest of your distribution

07:38

settings are at your own discretion I

07:41

will go through with some defaults I

07:43

find helpful for troubleshooting

08:00

once the distribution is created you

08:02

will see a popup saying that the S3

08:05

bucket policy needs to be updated you

08:07

may click on copy policy so the policy

08:10

statement is copied to your clipboard

08:12

and then you may click the goto S3

08:15

bucket permissions

08:17

hyperlink once here you may scroll down

08:20

to the bucket policy section click edit

08:24

and paste the statement that you copied

08:26

from

08:26

cloudfront Once pasted you may save the

08:30

policy when you use an oai go to the

08:33

bucket in the Amazon S3 console and then

08:36

manually attach the bucket policy I will

08:39

show you one of my oi enabled buckets

08:42

let's navigate to

08:44

S3 I will now select my oi specific

08:49

bucket under my buckets permissions tab

08:52

will be a policy that you may use with

08:55

your own account information to

08:57

configure oi permission

09:00

this bucket policy is specific to my

09:03

distribution and AWS

09:07

account what if my buckets objects are

09:09

owned by a different AWS account for a

09:12

bucket policy to apply to external

09:14

accounts or Services the AWS account

09:17

that owns the bucket must also own the

09:20

objects if your S3 rest API Origins

09:23

objects are owned by another account

09:26

then Amazon S3 responds with a 403 error

09:29

because because of an object owner

09:32

mismatch for more information on this

09:34

topic let's navigate the cloud shell to

09:37

get your account's S3 canonical ID run

09:40

the following AWS CLI command to confirm

09:43

the owner of an object in S3 run the

09:46

following AWS CLI command note how in my

09:49

example the first command's owner ID

09:53

matches the second commands owner ID if

09:55

the canonical IDs don't match then the

09:58

bucket and object have different owners

10:00

in this case complete the following

10:02

steps to resolve the object owner

10:04

mismatch from the object owner's account

10:07

run the following command to get the

10:09

access control list permissions that are

10:12

assigned to the object if the object has

10:15

bucket owner full control ACL

10:17

permissions then skip this step if the

10:20

object doesn't have bucket owner full

10:21

control ACL permissions then run the

10:24

following command from the object

10:25

owner's account from the bucket owner's

10:28

account run the following command to

10:30

change the owner of the object by

10:33

copying the object over

10:39

itself if cloudfront still returns a 403

10:42

error then confirm that the requested

10:44

object existed in S3 at the time of the

10:47

request when cloudfront forwards a

10:49

request to your S3 rest API origin and

10:52

the object doesn't exist S3 returns a

10:55

403

10:56

error let's use one of my distributions

10:59

as an

11:01

example this null. txt object does not

11:05

currently exist in this distribution's

11:07

bucket so I will receive a 403 error

11:10

when attempting to access it however if

11:13

I navigate back to my Management console

11:15

go to

11:17

S3 select my bucket where the object

11:20

doesn't exist and upload the object in

11:22

question

11:30

I can then resend the request through

11:32

cloudfront and be presented with the

11:34

content if you find a non-existent

11:37

object upload it and still receive a 403

11:40

error then the 403 response might be

11:43

cached to reconfirm access create an

11:46

invalidation for the objects URI I will

11:49

show you how to create an invalidation

11:51

for this object in the Management

11:53

console let's navigate the cloud front

11:56

select the distribution in question

11:58

click on the invalidations tab click on

12:01

create invalidation enter the URI path

12:05

of the object and question finally click

12:08

on create

12:09

invalidation once this invalidation is

12:12

complete cloudfront will clear its cache

12:15

of this 403 for this object to allow for

12:19

a fresh origin request to take place if

12:22

further 403s are still occurring then

12:25

you may roll this root cause out because

12:27

S3 object names are case sensitive also

12:30

confirm that the request Uris that you

12:32

send to cloudfront exactly match the S3

12:35

object name for instance in my

12:38

cloudfront tab if I tried accessing

12:41

capital N null. txt I would also receive

12:45

a

12:50

403 what if clients receive 403s when

12:54

making requests against the root of my

12:56

distribution for viewers to access your

12:58

distribution at its root you must

13:00

specify a default root object otherwise

13:03

S3 returns a 403

13:06

error let's navigate to my environment

13:08

in the AWS web console let's go to Cloud

13:12

front let's select one of the

13:14

distributions where I do not yet have a

13:17

default root object

13:19

specified for this distribution I do

13:22

have an

13:23

index.html in the corresponding buckets

13:26

directory however when I navigate to it

13:29

I will receive a

13:30

403 to rectify this issue let's go back

13:33

to our distribution and click edit under

13:38

settings once within your distribution

13:40

settings under default root object

13:44

specify the object in S3 of your default

13:47

root object once entered let's scroll

13:51

all the way to the bottom and save our

13:54

changes once your last modified time

13:57

changes from deploying to a timestamp

14:00

you will be able to verify the changes

14:02

you just made to your

14:04

distribution now that my distribution

14:07

has been updated now let's attempt to go

14:10

to the root of

14:11

it and we will now see that because an

14:14

default root object is specified we will

14:18

not receive a 403

14:20

error 403 errors suppress a 404 response

14:23

from S3 because the bucket policy isn't

14:26

granting S3 list bucket access which is

14:29

required for S3 requests that don't

14:31

specify a specific object note that it's

14:35

not a security best practice to allow S3

14:39

list bucket Public Access S3 list bucket

14:44

Public Access allows users to see and

14:47

list all objects in a bucket this

14:50

exposes object metadata details such as

14:54

key and size to users even if the users

14:57

don't have permissions to to download

14:59

the

15:00

object to better understand what happens

15:03

during requests in cloudfront and your

15:06

S3 rest API origin when you test or

15:09

investigate 403 errors it's a best

15:12

practice to implement cloudfront

15:14

standard logs and S3 server access logs

15:18

the cloudfront logs provide you with

15:20

relevant request results such as URI

15:23

HTTP verb HTTP Response Code and result

15:27

type the S3 logs provide you with the

15:30

object key operation HTTP status and

15:34

signature version if you need additional

15:37

support to resolve the 403 errors then

15:40

you can find request IDs for each

15:42

service in these logs when you contact

15:45

AWS premium support share these request

15:48

IDs so that we can better help

15:51

you thanks for watching and happy cloud

15:54

computing from all of us here at AWS

15:57

[Applause]

15:59

[Music]

16:04

[Music]