2

I am trying to build a website which the main area doesn't need authentication. But the subdomain requires user to login. I am trying to achieve it by using CloudFront stands in front of two S3 buckets. I have a lambda function I obtained online which would be inserted into one of the behavior.

As for the s3, I created two buckets, one is www.xxx.com.s3.amazonaws.com and the second one is www.xxx.com.relj.s3-website-us-east-1.amazonaws.com. Static website hosting are enabled on both buckets. Disabled Public access, and with bucket policy for main bucket is 

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXCD2PW2IQU"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::www.xxx.com/*"
    }
]

}

Bucket policy for the other bucket is 

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXCD2PW2IQU"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::www.xxx.com.relj/*"
    }
]

}

For my cloud front setup, I have two origin, www.xxx.com.s3.amazonaws.com and www.xxx.com.relj.s3-website-us-east-1.amazonaws.com. I setup three behavior, one is default, the other one is /, and the last one is relj/. Last one is pointing to www.xxx.com.relj.s3-website-us-east-1.amazonaws.com with lambda function attached.

when I access the main site, dXXjxu7k28es7y.cloudfront.net, I can see my website. But when I do dXXjxu7k28es7y.cloudfront.net/relj/index.html, I see the login prompt. After I put in the correct user name and password, it gives me 403. I tried even putting everything in relj bucket as public, I still can't access it through dXXjxu7k28es7y.cloudfront.net/relj/index.html. I am able to access it from https://s3.amazonaws.com/www.xxx.com.relj/index.html.

The response is 

403, Forbidden
date: Sat, 27 Jan 2018 01:15:07 GMT
x-amz-error-code: AccessDenied
last-modified: Fri, 26 Jan 2018 22:23:50 GMT
server: AmazonS3
etag: "b5aa4b118fdf2980dd7e4d7d81db9a08"
x-amz-error-message: Access Denied
content-type: text/html
via: 1.1 bdfe34c94134f86b07ebb7714d12d095.cloudfront.net (CloudFront)
x-cache: Error from cloudfront
connection: keep-alive
content-length: 51
x-amz-cf-id: hRebSOcNA38KGcXkA2LrzXftvqxaSB7ffVqbqcrWj0_2rQua9aQAkA==

I am new to aws so all these policies are new to me. From what I have seen, the lambda executed so it's reaching the url. I can provide more info. Thanks for reading.

user3037484
  • 25
  • 1
  • 7
  • It looks like you are trying to mix and match the S3 static web hosting feature with an Origin Access Identity, which does not work -- [it's outside the design scope of S3's static web site hosting to support authenticated access.](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html) Note also that CloudFront is not returning this error. `Server: Amazon S3`, the `x-amz-error-*` and a `text/html` (not XML) error content indicate the 403 originates at an S3 web site endpoint. Exactly how to fix it will depend on exactly what you need to accomplish. – Michael - sqlbot Jan 27 '18 at 02:59
  • I would like to have two behavior and each hitting different s3 bucket. What is the best way to fix this? Thanks so much. Since I have one origin " www.xxx.com.s3.amazonaws.com" and the other "www.xxx.com.relj.s3-website-us-east-1.amazonaws.com", should I change the second one to "www.xxx.com.relj.s3.amazonaws.com"? – user3037484 Jan 29 '18 at 02:31
  • Turn on logging for your buckets and review the log a few minutes after generating the 404 error to see what S3 is logging. – Michael - sqlbot Jan 29 '18 at 02:34
  • I didn't get 404. 2018-01-29 03:01:53 MIA3-C1 602 96.246.34.205 GET dXXjxu8k28es7y.cloudfront.net /relj/index.html 403 - Mozilla/5.0%2520(Macintosh;%2520Intel%2520Mac%2520OS%2520X%252010_13_3)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/64.0.3282.119%2520Safari/537.36 - - Error bDL3zmAaF_CIiPhIhTvqH-32ovFkyDKV7K-X7XKa39fRgoebx1Inaw== dXXjxu8k28es7y.cloudfront.net http 466 0.001 - - - Error HTTP/1.1 The behavior Path Pattern is set as relj/*. Does it sound right? Thanks. – user3037484 Jan 29 '18 at 03:17
  • Sorry, typo, I intended to say 403. This is a CloudFront log. You want to look at the S3 log. Note that the URL requested by the browser is what will be sent to the bucket, regardless of path pattern, which is only used for routing -- it doesn't modify the request. Is the object key `relj/index.html` or just `index.html`? – Michael - sqlbot Jan 29 '18 at 03:40
  • Object key is index.html in relj s3 bucket. I see s3 log has " REST.GET.ENCRYPTION - "GET /www.XXX.com?encryption= HTTP/1.1" 404 ServerSideEncryptionConfigurationNotFoundError 361 - 795 - "-" "S3Console/0.4, aws-internal/3" -" and "REST.GET.TAGGING - "GET /www.XXX.com?tagging= HTTP/1.1" 404 NoSuchTagSet 298 - 1332 - "-" "S3Console/0.4, aws-internal/3" -" Does it mean Cloudfront expect encryption? – user3037484 Jan 29 '18 at 15:41
  • These entries are caused by you, looking at the bucket from the console. – Michael - sqlbot Jan 30 '18 at 00:04
  • I tried it again and here are the two lines "2018-01-30 01:50:24 EWR52-C1 592 96.246.34.205 GET XX.cloudfront.net /relj/index.html 403 - Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520Win64;%2520x64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/63.0.3239.132%2520Safari/537.36 - - Error 3SWDO_v7TPye6UgU-gdwAJOfOm0V2uzZDT0ygGevdQVe7szvOxbD1w== XX.cloudfront.net http 433 0.025 - - - Error HTTP/1.1 - - – user3037484 Jan 30 '18 at 02:00
  • and 2018-01-30 01:50:24 EWR52-C1 600 96.246.34.205 GET dXXjxu8k28es7y.cloudfront.net /favicon.ico 403 http://dXXjxu8k28es7y.cloudfront.net/relj/index.html Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520Win64;%2520x64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/63.0.3239.132%2520Safari/537.36 - - Error LSkTmipUU4-MALUXbV_pT7YV39gFMpJPkga7tl1FcdHRjYbLAWPXeA== XX.cloudfront.net http 416 0.000 - - - Error HTTP/1.1 - - – user3037484 Jan 30 '18 at 02:00
  • do you think my origin setup is wrong? It's not pointing to the relj bucket? – user3037484 Jan 30 '18 at 02:05

1 Answers1

4

Replying to this old post for those that follow:

in my case i had two s3 origins one of them i configured with default behaviour of qa/*

The problem I encountered was that the full path gets forwarded to the bucket by default e.g. requesting myurl.com/qa/xxx.html was forwarding a request for qa/xxx.html to my qa origin where i was only expecting the xxx.html to be forwarded

i moved my files into a qa folder on the second origin bucket for a quick fix

brianbruff
  • 2,092
  • 2
  • 14
  • 14