amazon-web-services - aws cloudfront - S3 拒绝访问

Question

我已经创建了一个 Cloudfront 分发和 S3 存储桶。
我在访问 Cloudfront 网址时遇到 Access Denied 错误 asdf123456.cloudfront.net

我尝试在我的 cloudformation 模板中添加自定义错误消息，但仍然无法正常工作。

Cloudformation 中的我的 Json 模板

{
    "AWSTemplateFormatVersion": "2010-09-09",

    "Parameters": {
        "S3BucketName": {
            "Type": "String",
            "Default": "test-server-dev"
        },
        "S3BucketWebName": {
          "Type": "String",
          "Default": "test-web-dev"
        },
        "CloudfrontDistributionOriginId": {
          "Type": "String",
          "Default": "test_dev"
        }
    },

    "Resources": {
      "S3BucketWeb": {
        "Type": "AWS::S3::Bucket",
        "Properties": {
          "BucketName": {
              "Ref": "S3BucketWebName"
           }
        }
      },
      "CloudfrontDistributionWeb": {
        "Type" : "AWS::CloudFront::Distribution",
        "Properties" : {
            "DistributionConfig" : {
              "CustomErrorResponses" : [
                {
                  "ErrorCachingMinTTL" : 300,
                  "ErrorCode" : 403,
                  "ResponseCode" : 200,
                  "ResponsePagePath" : "/index.html"
                }
              ],
              "DefaultCacheBehavior": {            
                  "AllowedMethods" : ["GET", "HEAD"],
                  "CachedMethods" : ["GET", "HEAD"],
                  "CachePolicyId" : "658327ea-f89d-4fab-a63d-7e88639e58f6",
                  "Compress" : false,
                  "TargetOriginId" : {
                    "Ref": "S3BucketWebName"
                  },
                  "ViewerProtocolPolicy" : "redirect-to-https"
              },
              "DefaultRootObject" : "index.html",
              "Enabled" : true,
              "HttpVersion": "http2",
              "IPV6Enabled" : true,
              "Origins" : [
                {
                  "ConnectionAttempts" : 3,
                  "ConnectionTimeout" : 10,
                  "DomainName" : {
                    "Fn::GetAtt": [
                      "S3BucketWeb",
                      "DomainName"
                    ]
                  },
                  "Id" : {
                    "Ref": "S3BucketWebName"
                  },
                  "S3OriginConfig": {
                    "OriginAccessIdentity" : ""
                  }
                }
              ],
              "Restrictions" : {
                "GeoRestriction" : {
                  "RestrictionType" : "none"
                }
              },
              "ViewerCertificate" : {
                "CloudFrontDefaultCertificate" : true
              }
            }
        }
      }
    }
  }

更新

存储桶策略

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EBJE9SUE3W57Q"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::test-web-dev/*"
        }
    ]
}

Answer 1

我无法正确理解这个问题，但如果您在上传云形成模板时遇到 s3 访问被拒绝的情况，那么您可能缺少允许执行此类操作然后将其附加到形成模板的安全组或 IAM 角色本身。