Security Cloudfront

[allcentury]

I've followed the instructions for Cloudfront w/ an S3 Bucket Origin but have continued to get 403's when accessing the distribution.

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>66DD2A4C3CF92CE4</RequestId>
<HostId>
1xVSeC/qY76pOcObzhoz+untoV1oPlnS3ooMinQwSlu5gNjzA/pZkkKLTm72Kg6aICWM8VBXRTI=
</HostId>
</Error>

I can see the S3 policy has been updated to allow cloudfront to perfrom an S3:GetObject

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2KCY3TPOOHOWY"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}

I've been trying to troubleshoot using this resource and watched this video. In it, she adds a policy to let anonymous users read from the bucket. Is that a step missing in this guide?

I turned on logging and I can see my requests but unclear what's missing:

4 2021-01-07  20:04:12  PHX50-C2  975 173.224.160.117 GET d1dwdqmroukil9.cloudfront.net / 307 - Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010.15;%20rv:85.0)%20Gecko/20100101%20Firefox/85.0  - - Miss  E0AAZGmHXzldQ6iXAxgu1rinHbGihIWYcPr92ctH1k0YjyG2TCM6fw==        d1dwdqmroukil9.cloudfront.net http  386 0.237 10.185.39.185 - - Miss  HTTP/1.1  - - 21627 0.237 Miss  application/xml - -

[benjipotter]

Hi @allcentury I'm going to re-write this using the new experience in the console as that enables the permissions for you. It may also be that objects are KMS encrypted if you've done that or bucket level encryption.