Gar*_*son 4 amazon-s3 amazon-web-services amazon-cloudfront
Using AWS CloudFormation I set up a CloudFront distribution to serve content from a private S3 bucket. I do not have the bucket configured as an S3 website \xe2\x80\x94 rather, I\'m using the latest-and-greatest technique: Origin Access Control (OAC). See Restricting access to an Amazon S3 origin. I\'m using Route53 and Certificate Manager to serve the CloudFront distribution over TLS with a custom domain example.com.
So far the basics are working fine for URLs that reference objects that exist in the S3 bucket. I can access https://example.com/foobar.html just fine, for example. But if I request a file that does not exist, such as https://example.com/missing.html, CloudFront returns a 403 "Access Denied" instead of a 404 "Not Found".
I can make a wild guess that some communication between CloudFront and S3 makes CloudFront think its access is denied if the object doesn\'t exist. (Still that doesn\'t explain why.) Is this a bug? Is this expected behavior? How are we expected to use CloudFront+S3+OAC with this odd behavior\xe2\x80\x94does AWS expect us to set up a CloudFront custom error response to convert 403 to 404? (But why would we want to assume all access denied errors in CloudFormation really indicate a missing object on S3?)
请注意,我发现了与 相关的各种其他 CloudFront 问题403,但没有一个与 OAC 配置相关,并且大多数其他问题都与始终返回 403 的 CloudFront 发行版有关,而不仅仅是丢失文件。
除非您有s3:ListBucket权限,否则 S3根据设计返回丢失对象的403 Forbidden状态和错误。AccessDenied这是因为如果没有s3:ListBucket,主体无权知道对象是否丢失或是否存在,但不允许他们访问。
请注意,与 不同的是,资源ARNs3:GetObject为 的对象级权限是存储桶级权限,因此资源不带尾随。arn:aws:s3:::bucket-name/*s3:ListBucketarn:aws:s3:::bucket-name/*
更新存储桶策略后,您应该发现 404 按预期工作,但您还需要将分配的 Cloudfront 默认根对象设置为/请求时返回的任何内容,否则将返回存储桶列表,这可能是不是你想要的。
另请注意错误缓存最小 TTL,这会导致 CloudFront 将这些 403 缓存 5 分钟,与缓存行为的其他 TTL 设置分开。
| 归档时间: |
|
| 查看次数: |
1372 次 |
| 最近记录: |