Bobcares

CloudFront API gateway access denied

by | Nov 8, 2021

Wondering how to resolve CloudFront API gateway access denied error? We can help you.

At Bobcares we assist our customers with several AWS queries as part of our AWS Support Services for AWS users, and online service providers.

Today, let us see how our Support Techs perform it.

How to resolve CloudFront API gateway access denied error?

In order to troubleshoot Access Denied errors, you must know if your distribution’s origin domain name is an S3 website endpoint or an S3 REST API endpoint.

Follow these steps to determine the endpoint type:

  1. Firstly, open the CloudFront console.
  2. Then, select your CloudFront distribution, and then choose Distribution Settings.
  3. Next, choose the Origins and Origin Groups tab.
  4. Review the domain name under Origin Domain Name and Path. Then, determine the endpoint type based on the format of the domain name.

REST API endpoints use this format:

DOC-EXAMPLE-BUCKET.s3.amazonaws.com

Static website endpoints use this format:

DOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com

If your distribution is using a REST API endpoint, verify that your configurations meet the following requirements to avoid Access Denied errors.

Today, let us see the steps followed by our Support Techs to resolve CloudFront API gateway access denied errors.

If you don’t configure an OAI, then the objects must be publicly accessible or requested with AWS Signature Version 4

If you don’t configure an OAI, then a distribution using a REST API endpoint supports only public objects, or objects requested with AWS Signature Version 4 authentication.

To determine if the objects in your S3 bucket are publicly accessible.

Open the S3 object’s URL in a web browser. Or, run a curl command on the URL.

The following is an example URL of an S3 object:

http://DOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com/index.html

If either the web browser or curl command returns an Access Denied error, then the object isn’t publicly accessible.

If the object isn’t publicly accessible, then use one of the following configurations:

1. Firstly, create a bucket policy that allows public read access for all objects in the bucket.
2. Then, use the Amazon S3 console to allow public read access for the object.
3. Next, configure an OAI for the distribution using the REST API endpoint.
4. Authenticate requests to Amazon S3 using AWS Signature Version 4.

Objects in the bucket can’t be AWS KMS-encrypted

CloudFront distributions don’t support AWS KMS-encrypted objects.

You must remove KMS encryption from the S3 objects that you want to serve using the distribution.

Use one of the following ways to check if an object in your bucket is KMS-encrypted:

1. Firstly, use the Amazon S3 console to view the properties of the object. Review the Encryption dialog box.

If AWS-KMS is selected, then the object is KMS-encrypted.

2. Run the head-object command using the AWS Command Line Interface (AWS CLI).

If the command returns ServerSideEncryption as aws:kms, then the object is KMS-encrypted.

To change the object’s encryption settings using the AWS CLI, first verify that the object’s bucket doesn’t have default encryption.

If the bucket doesn’t have default encryption, then run the following AWS CLI command to remove the object’s encryption by copying the object over itself.

aws s3 cp s3://DOC-EXAMPLE-BUCKET/index.html s3://DOC-EXAMPLE-BUCKET/index.html --storage-class STANDARD

The S3 bucket policy must allow access to s3:GetObject

To use a distribution with an S3 REST API endpoint, your bucket policy must allow s3:GetObject either to public users or to CloudFront’s OAI.

Even if you have an explicit allow statement for s3:GetObject in your bucket policy, confirm that there isn’t a conflicting explicit deny statement.

An explicit deny statement always overrides an explicit allow statement.

Follow these steps to review your bucket policy for s3:GetObject:

1.Firstly, open your S3 bucket from the Amazon S3 console.

2.Then, choose the Permissions tab.

3.Next, choose Bucket Policy.

4.Review the bucket policy for statements with “Action”: “s3:GetObject” or “Action”: “s3:*”.

In the following example policy, there’s an allow statement that grants a CloudFront OAI access to s3:GetObject.

There’s also an allow statement that grants public access to s3:GetObject.

However, there’s an explicit deny statement for s3:GetObject that blocks access unless the request is from a specific Amazon Virtual Private Cloud (Amazon VPC).

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [{
"Sid": "Allow-OAI-Access-To-Bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EAF5XXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
},
{
"Sid": "Allow-Public-Access-To-Bucket",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
},
{
"Sid": "Access-to-specific-VPCE-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}

5. Modify the bucket policy to remove or edit statements that block CloudFront OAI access or public access to s3:GetObject.

If the bucket policy grants access, the AWS account that owns the S3 bucket must also own the object

For a bucket policy to apply to external accounts or services, the AWS account that owns the bucket must also own the objects.

A bucket or object is owned by the account of the AWS Identity and Access Management (IAM) identity that created the bucket or object.

Follow these steps to check if the bucket and objects have the same owner:

1.Firstly, run this AWS CLI command to get the S3 canonical ID of the bucket owner:

aws s3api list-buckets --query Owner.ID

2.Then, run this command to get the S3 canonical ID of the object owner.

Note: This example shows a single object, but you can use the list command to check several objects.

aws s3api list-objects --bucket DOC-EXAMPLE-BUCKET --prefix index.html

3.If the canonical IDs don’t match, then the bucket and object have different owners.

Note: You can also use the Amazon S3 console to check the bucket and object owners. The owners are found in the Permissions tab of the respective bucket or object.

Follow these steps to change the object’s owner to the bucket owner:

1.From the object owner’s AWS account, run this command to retrieve the access control list (ACL) permissions assigned to the object:

aws s3api get-object-acl --bucket DOC-EXAMPLE-BUCKET --key object-name

2.If the object has bucket-owner-full-control ACL permissions, then skip to step #3.

If the object doesn’t have bucket-owner-full-control ACL permissions, then run this command from the object owner’s account:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key object-name --acl bucket-owner-full-control

3.From the bucket owner’s account, run this command to change the owner of the object by copying the object over itself:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/index.html s3://DOC-EXAMPLE-BUCKET/index.html --storage-class STANDARD

The requested objects must exist in the bucket

If a user doesn’t have s3:ListBucket permissions, then the user gets Access Denied errors for missing objects instead of 404 Not Found errors.

Run the head-object AWS CLI command to check if an object exists in the bucket.

Please note to confirm that the object request sent to CloudFront matches the S3 object name exactly.

S3 object names are case-sensitive. If the request doesn’t have the correct object name, then Amazon S3 responds as though the object is missing.

To identify which object CloudFront is requesting from Amazon S3, use server access logging.

If the object exists in the bucket, then the Access Denied error isn’t masking a 404 Not Found error.

Verify other configuration requirements to resolve the Access Denied error.

If the object isn’t in the bucket, then the Access Denied error is masking a 404 Not Found error.

Resolve the issue related to the missing object.

If the bucket policy grants access, the AWS account that owns the S3 bucket must also own the object

For a bucket policy to apply to external accounts or services, the AWS account that owns the bucket must also own the objects.

A bucket or object is owned by the account of the AWS Identity and Access Management (IAM) identity that created the bucket or object.

Follow these steps to check if the bucket and objects have the same owner:

1.Firstly, run this AWS CLI command to get the S3 canonical ID of the bucket owner:

aws s3api list-buckets --query Owner.ID

2.Then, run this command to get the S3 canonical ID of the object owner.

Note: This example shows a single object, but you can use the list command to check several objects.

aws s3api list-objects --bucket DOC-EXAMPLE-BUCKET --prefix index.html

3.If the canonical IDs don’t match, then the bucket and object have different owners.

Note: You can also use the Amazon S3 console to check the bucket and object owners. The owners are found in the Permissions tab of the respective bucket or object.

Follow these steps to change the object’s owner to the bucket owner:

1.From the object owner’s AWS account, run this command to retrieve the access control list (ACL) permissions assigned to the object:

aws s3api get-object-acl --bucket DOC-EXAMPLE-BUCKET --key object-name

2.If the object has bucket-owner-full-control ACL permissions, then skip to step #3.

If the object doesn’t have bucket-owner-full-control ACL permissions, then run this command from the object owner’s account:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key object-name --acl bucket-owner-full-control

3.From the bucket owner’s account, run this command to change the owner of the object by copying the object over itself:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/index.html s3://DOC-EXAMPLE-BUCKET/index.html --storage-class STANDARD

The requested objects must exist in the bucket

If a user doesn’t have s3:ListBucket permissions, then the user gets Access Denied errors for missing objects instead of 404 Not Found errors.

Run the head-object AWS CLI command to check if an object exists in the bucket.

Please note to confirm that the object request sent to CloudFront matches the S3 object name exactly.

S3 object names are case-sensitive. If the request doesn’t have the correct object name, then Amazon S3 responds as though the object is missing.

To identify which object CloudFront is requesting from Amazon S3, use server access logging.

If the object exists in the bucket, then the Access Denied error isn’t masking a 404 Not Found error.

Verify other configuration requirements to resolve the Access Denied error.

If the object isn’t in the bucket, then the Access Denied error is masking a 404 Not Found error.

Resolve the issue related to the missing object.

[Need assistance with CloudFront? We are available 24*7]

Conclusion

Today, we saw steps followed by our Support Techs to resolve CloudFront API gateway access denied error.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.