#Cloudfront XML/access denied error

Hello everyone. I am trying to use cloudfront to service my static resume website that’s hosted on S3. I followed this guide (https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/).

I created the distribution and restricted access by using OAC. I set the S3 bucket as the origin for the distribution. I also copied the policy that was generated after I clicked on create and pasted it to my S3 bucket policy. I also purchased a domain from rt 53 and assigned it a custom SSL certificate via ACM. So after all that I get this xml/access denied error.

I’ve retraced my steps, started from the beginning and I still get this error. I feel like I’m missing a very simple step. It has to be a permissions issue, right? I was able to view the webpage before configuring the cloudfront distribution when the static web hosting was enabled in the S3 bucket.

The guide said I don’t need static web hosting enabled so I disabled it then created the distribution. I still get the error when I enable static web hosting. If anyone can point me in the right direction it will be greatly appreciated. This is embarrassing to admit but I’ve been stuck on this for a few days now lol.

1. Check that CNAME and A records for your distribution were added to Route53. 2. Check MX records were added for your certificate in Route53 and the certificate is validated, not in pending state 3. Check CloudFront distribution is configured to accept HTTPS requests. Check the same for CloudFront default behavior

If you are using subdomains, please check that all of the subdomains were added on the certificate. My architecture is the same but I scrapped S3 bucket policy, didn’t even need it because OAC takes care of access validation and there is a policy added on the CloudFront distribution itself

Also a keep posting this guide as it seems common problem for challengers: https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-cloudfront-walkthrough.html

Thank you for the detailed response, Olley. My Name is Jay.

1. I checked my cloudfront distribution, and I did not see CNAME or A records anywhere. Do you mean make sure the Distribution domain name was in route 53? So as an example, if my distribution domain name is b3ho922t6hmp6.cloudfront.net, then that’s definitely added to route 53.

2. My certificate validation status says Success with a green check mark. It also says that the domain is currently in Route 53.

3. I had it set to Redirect HTTP to HTTPS. I changed it to HTTP and HTTPS as well as HTTPS only and I still get the same error.

I am not using subdomains. Interestingly, I can view the bucket directly with no error but not through the domain or the cloudfront distribution. I retraced mysteps following the guide you posted and still no luck.

One thing that might help is that when I go to test the CNAME and A record in Route 53, when I leave the field blank, the DNS response is no error. When I input www I get Non-Existent Domain. Maybe I’m over thinking this. Unless anyone can recommend any other ideas, I think I may just delete everything and start from scratch again. Thank you again for taking the time and responding to my question.

Hi Jay, Yes, www is the subdomain. Did you use it in your certificate? Your S3 bucket name shall match your desired subdomain exactly to make everything work. I am thinking how to share my setup without screenshotting it because Route53 records are sensitive data and I would not want to put on a public server. I also do S3 bucket redirect from my domain to subdomain for testing. You also need to add CNAME and A records in Route53 to forward requests from your domain to CloudFront distribution. If I get a bit of energy today or over weekend, I’ll write up an article about this . Meanwhile here is an article from CloudFront Developer Guide I was using for setting up my website: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html

1. CNAME on CloudFront distribution shall be set to your desired domain (or subdomain), you also need to choose the certificate and CloudFront will generate Route53 CNAME record. 2) Also need to add A record in Route53 to forward requests from your domain to the CloudFront distribution . Domain (or subdomain name like www) for the hosted zone = S3 bucket name where the website files are stored. 3) Please also check that you see same CNAME record on your certificate in ACM. If it's not created, then try to create the record from the certificate console by pressing button 'Create records in Route53'. Lastly, A record would match domain that is used for the website URL. If you want to use www.example.com as address to your website then whole chain of resources shall match this name starting from S3 bucket name, domains and subdomains on the certificate and in the A record. Hope this helps.

Hi there) Today I also faced the same problem -"Access Denied". I did those steps as @verbal steeplebut I didn't use Route53, instead used another DNS.
So I guess it might not be a routing problem, because "Access Denied" message also appears when I use the internal Distribution domain name (my-distribution-id.cloudfront.net).

https://tenor.com/view/yes-uhu-excited-gif-13287450

Finally, I coped with "Access Denied".
The solution was to explicitly point Distribution to my index.html (Default root object - index.html).
It wasn't easy to handle this problem becouse any whitepapers or articles doesn't point out this issue - CloudFront could throw "Access Denied" when an object in S3 doesn't exist (instead of throwing 404).
@verbal steeple try out and give my feedback is it work for you

Not true about AWS documentation. The guide I posted above does say to point CloudFront distribution to the root object in Step 1, point 5.d: https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-cloudfront-walkthrough.html

Sure, I was wrong
In my case, troubleshooting was hard because of non-obvious behavior - Access denied instead of 404 (file not found/doesn't exist).
But maybe it's just a lack of expirience 🤪

@dark valley thank you for the suggestion. but even after entering index.html, i still got the error.
@quartz pulsar i followed your write up but "Alias to cloudfront distribution" was grayed out and i could not select it. i removed everything from rt 53. i am going to keep moving forward with the challenge and just use the cloudfront url. at this point ive been trying to get this to work for almost 2 weeks with very little progress. i will wrestle with route 53 again at a later time. i will probably pay for amazon support because i really am at a loss.

thank you both for your help

I’ll try to rebuild everything from scratch and document it with screenshots next week. It could be something small but crucial that is not working and holding you back. Please don’t lose heart! There were moments I was thinking giving up like CORS and Cypress but could overcome them. Pls let me know if you decide to go with Support option. I remember that A record was important as I found this in my notes for 1st chunk .

Hang on, where did you get your domain? Is it external? Mine was bought with Route53. Any chance you changed NS records? Those shall be left as is and never touched if you bought on Route53 but of you bought domain elsewhere than you need to copy NS records from Route53 and update them on the domain provider site

hi olley. i did buy my domain through rt 53 and i did not touch the NS records. i will be moving forward with the project and come back to this in a week or so.

Okay, great. I’ve started re-developing everything with org-formation and will go with IaC from chunk1 to get into DevOps mod more and also verify that I understood everything correctly. I’ll check my paper notes if there is anything about CloudFront that could be helpful for your case.

@quartz pulsar @dark valley hello there. after a lot of trial an error i finally got it to work. i kept removing and readding the origin (s3 bucket endpoint) and i THINK the reason i was getting the error is because my origin domain did was not labeled correctly. i mightve been a typo but im not sure. unfortunately i did not have cloudtrail set up so im not sure if i can go back and see what change fixed the issue. thanks again for trying to help

Oh yeah there's a weird thing where if you refresh the page when pointing to the wrong endpoint (iirc the restAPI, then that will happen, just switching it to the bucket domain usually fixes it)