AWS CloudFront some users are getting access denied


I have configured AWS S3 and CloudFront some months ago, all works a dream. However, I am getting some issues with users reporting Access Denied - but it seems intermittent.

Anyone seen this before?


Yeah I’ve had a lot of problems with this myself and am still trying to resolve it. I got some suggestions from a post that might be worth looking at. I’m in the middle of creating a new bucket and cloudfront config in my test enviro to see if somehow my permissions got messed up. I’ll keep you posted. And if you figure out something, let us know!

I have this same issue. Intermittent access denied, but after some time, it will randomly work. Has anyone figured out the secret to getting it to work properly. Im going to work on this today. I will report back if I figure it out.

I did not exactly get cloud front working again. I decided just to use s3 since the files I am delivering are fairly small. here are some tips i think will be helpful

I had an existing s3 bucket. I noticed that in the setting for s2 download option, in the s3/cdn storage option , google chrome was auto filling the access key id field with an random auto fill, so maybe at some point i updated the settings, then that incorrect information might then get stored as a setting. I would never know this happened because that field only shows dots and not the data in plain text. So make sure you have the correct information entered.

No matter what I did I was not able to get the cloudfront side working properly. It did create the distributions, and update the bucket policy for the s3 correctly and the access control list for s3 correctly. It just seemed to always give access denied. So I just decided to use the s3 only and just hit the “reset cloudfront configuration” button to just leave it blank. I then manually deleted the cloudfront distro it made, and the Origin access Identity it made.

In situations like this I always guess that the link expired. S3 + CF expiring links were invented at a time that people booted up desktops, did work, and shut down at the end of the day. So if someone was in the middle of a video that had an expiring link having to log in again the next morning seemed normal. But now that we do everything on our phones in tens of tabs we might pause a video and browse other sites and then come back to see (but not understand) that the link expired and see that type of error. Not sure that’s your case, but it’s the reason why lots of expiring link solutions fail now.

Protecting your content too much usually harms your paying customers more than protecting lost revenue.