AWS CloudFront通过OAC访问S3返回”拒绝访问”。

huangapple go评论68阅读模式
英文:

AWS CloudFront access to S3 through OAC returns Access Denied

问题

我有一个托管在S3存储桶上的静态网站。一开始,我将存储桶完全设为公共,并设置为静态网站托管,以测试CloudFront,并一切正常,我可以通过我的备用域名完美访问网站。但现在我想限制S3文件的可访问性,只允许通过CloudFront访问,但在按照各种教程后却收到“拒绝访问”的错误。

因此,我按照以下链接的步骤进行了操作:https://repost.aws/knowledge-center/cloudfront-serve-static-website,这也是我之前阅读的一些其他教程所述的步骤,它们都描述了OAC(Origin Access Control)过程,但当我尝试访问我的网站时却收到“拒绝访问”的错误。

所以,我现在已经完全禁用了我的S3存储桶的公共访问和静态网站托管,我创建了一个CloudFront的Origin Access Control设置,选择了“签署请求”并将S3设为Origin类型,在我的CloudFront Origin中,我选择了S3存储桶,选择了Origin Access Control,并选择了刚刚创建的Origin Access,我没有启用Origin Shield,然后我复制了它创建的S3策略,并保存了更改。然后,我进入我的S3存储桶,将策略粘贴到策略字段中,所以它看起来像这样(用虚拟数据替换了我的帐户信息,但在实际策略中,我已经确认它是正确的):

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::examplebucketid/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::11736596049:distribution/E1OS67E245W70W"
                }
            }
        }
    ]
}

如果我转到CloudFront的Origin选项卡,我可以看到Origin域是我的S3存储桶,Origin Access是我刚刚设置的访问控制的ID。

在S3上,我已启用了“对象所有权 - 桶所有者强制执行”,禁用了静态网站托管,我也设置了CORS,但我尝试过没有它们也一样出现问题。仅供参考,它们目前的设置如下:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]

其默认行为将S3存储桶选择为Origin,并将HTTP重定向到HTTPS。分发的默认根对象也是/index.html,这个文件已正确上传到S3存储桶,并在将S3设为私有之前可以正常工作。

我已经查找并按照教程进行操作,甚至尝试了新的S3和CloudFront分发实例,但结果都是拒绝访问。我还尝试使用OAI(Origin Access Identity)并让CloudFront自行更新我的S3策略,但仍然收到“拒绝访问”的错误。我确保在测试之前等待CloudFront的任何更改完全部署,但结果仍然相同。

有没有什么需要更改或检查的地方?我已经寻找了几个小时,但每个教程或其他帖子都来自AWS界面的旧版本,选项不同,或者只是描述了我已经遵循的步骤,但它们的操作正常。

英文:

I have a static website hosted on an S3 bucket. I initially had the bucket fully public and set as a static website hosting while testing cloudfront out and everything worked fine, I accessed the site through my alternate domain perfectly. However I now want to limit the S3 file accessibility and only allow access through cloudfront, but am getting Access Denied after following various tutorials.

So i followed: https://repost.aws/knowledge-center/cloudfront-serve-static-website which also follows a few other tutorials I have read since, and they all say the same thing for the OAC process but I am getting Access Denied when trying to access my website.

So I have my S3 bucket with public access now fully disabled and static website hosting disabled now as well, I made a cloudfront origin access control setting with 'sign requests' and S3 as origin type, and in my cloudfront origins i chose my S3 bucket from the origin domain, selected origin access control and chose my origin access i just created from the list, i left enable origin shield disabled, copied the S3 policy it creates and selected save changes. I then go to my S3 bucket that i selected from that origin and paste it into the policy field. so it looks like this (replaced my account info with dummy data but in the actual policy i have confirmed its correct):

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::examplebucketid/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::11736596049:distribution/E1OS67E245W70W"
                }
            }
        }
    ]
}

If I go to my cloudfront origins tab i can see that the origin domain is my S3 bucket and the origin access is the id of the access control i just setup.

On S3 I have Object Ownership - Bucket owner enforced, static website hosting is disabled, and i do have CORS set-up but I have tried without them as well. Just for reference though they're currently:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]

Its default behaviour has the S3 bucket chosen as origin, and redirects HTTP to HTTPS. The distributions default root object is also /index.html which is properly uploaded to the S3 bucket, and was working before setting S3 to private.

I have looked around and followed tutorials, and have even tried from fresh S3 and cloudfront distribution instances but I get the same result of access denied. I also tried using OAI instead and letting CloudFront update my S3 policy itself but was still getting Access Denied. I do wait for any cloudfront changes to be fully deployed before testing as well but same result.

Anything stick out that I need to change or can check? I've been looking for a few hours and every tutorial or other post I have seen is from an old version of the AWS interface where the options aren't the same, or simply shows what I followed except theirs worked.

答案1

得分: 1

之前,我将默认根对象设置为/index.html,所以我认为它会保持不变,因为在将S3设置为静态网站主机时它能正常工作,但将其更改为index.html解决了问题。我猜权限设置是正确的,只是默认根对象没有正确设置。

英文:

Previously I had default root object as /index.html so I assumed that would remain the same because it worked when S3 was setup as static website host, but changing that to just index.html solved the issue. I guess the permission set-up was correct, just default root object wasn't set properly.

huangapple
  • 本文由 发表于 2023年4月4日 03:20:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/75923055.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定