Step 1: Disable Signed URLs or Signed Cookies
If you're using signed URLs or signed cookies, start by disabling them temporarily and testing access without them.
- CloudFront blocks access when the signature is invalid or the key pair isn’t recognized.
- Try serving the content publicly first to confirm whether the issue is related to signed authentication.
- If access works without signed URLs, check your key pair and signature settings before re-enabling them.
Step 2: Check If CloudFront Can Access Your S3 Bucket
Even if your S3 bucket is publicly accessible, CloudFront requires explicit permissions. AWS offers two ways to allow CloudFront to access S3:
Option 1: Origin Access Control (OAC) (Preferred Method)
OAC is AWS’s latest method for securing S3 access. If you're using it, verify:
- The CloudFront distribution is associated with the correct OAC.
- The S3 bucket policy allows access from the OAC’s AWS principal.
Example S3 bucket policy for OAC:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::your-bucket-name/*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:cloudfront::YOUR_AWS_ACCOUNT_ID:distribution/DISTRIBUTION_ID" } } } ] }
Make sure to replace your-bucket-name
, YOUR_AWS_ACCOUNT_ID
, and DISTRIBUTION_ID
with your actual values.
Option 2: Origin Access Identity (OAI) (Legacy Method)
If you’re still using OAI, confirm:
- The OAI is attached to the CloudFront distribution.
- The S3 bucket policy grants access to the OAI.
Example bucket policy for OAI:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity YOUR_OAI_ID" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::your-bucket-name/*" } ] }
Replace YOUR_OAI_ID
and your-bucket-name
with the correct values.
If your CloudFront Access Denied error persists, move on to the next step.
Step 3: Check Your S3 Bucket Settings
Even with the correct CloudFront policies, certain S3 bucket settings can still block access.
Common S3 Settings That Cause Access Denied Errors
1. Requester Pays Setting
If Requester Pays is enabled on your bucket, CloudFront will automatically deny access because it doesn’t support this feature.
To check if it's enabled:
- Go to Amazon S3 → Select your bucket
- Navigate to Properties → Look for Requester Pays
- If enabled, disable it and test again.
2. Public Access Block
AWS now blocks public access by default. If your bucket is still blocking CloudFront, ensure:
- S3 Public Access Block settings allow objects to be served via CloudFront.
- If using OAC or OAI, confirm no bucket-level policies contradict them.
3. Object Ownership Settings
CloudFront can return Access Denied if the objects are uploaded by another AWS account and you don’t have access.
- Go to S3 bucket settings → Object Ownership
- If it’s set to Bucket owner enforced, ensure that your IAM role has full access.
4. Disable AWS WAF
If you have AWS WAF enabled on the distribution try to disable it temporarily.
5. Check bucket region
Cloudfront distributions are single region (us-east-1) but support S3 buckets in different regions. Make sure that you are using the full region specific ARN to the bucket like otherwise Cloudfront will look in the bucket in the wrong region:
<bucket.name>.s3-website-<aws-region>.amazonaws.com
Step 4: Check CloudFront Cache Behavior & Distribution Settings
If your S3 permissions are correct but you still get an Access Denied, check CloudFront’s configuration:
1. Verify Cache Behavior
- Ensure the Origin Request Policy allows S3 authentication headers (especially if using OAC).
- If signed URLs are enabled, confirm the cache behavior enforces authentication correctly.
2. Check Origin Path & Bucket Name
- The Origin Path should not contain the full bucket name (e.g.,
/my-bucket
is incorrect). - The Origin Domain Name should be the S3 bucket name, not a custom domain.
3. Test With CloudFront Logs
Enable CloudFront logs to see the exact reason for access failure.
- Go to CloudFront Distribution → Behaviors
- Enable Logging and check for specific error messages in CloudWatch.
Can also enable Cloudtrail with Data Events to check the error message when Cloudtrail calls S3 on your behalf.
Final Thoughts: Fixing CloudFront Access Denied the Right Way
Debugging CloudFront Access Denied errors can be tedious, but a structured approach will save you hours of frustration.
- Disable signed URLs/cookies and check if the issue is authentication-related.
- Ensure CloudFront has proper access via OAC or OAI and correct bucket policies.
- Verify S3 settings, especially Requester Pays, Public Access Block, and Object Ownership.
- Review CloudFront settings, making sure the Origin Path and Cache Behaviors align with your access setup.
By systematically following these steps, you’ll eliminate Access Denied errors and ensure seamless content delivery via CloudFront.

AWS CloudFront Access Denied might seem daunting but try debugging it step by step