We Keep Coding

CloudFront distribution can't access S3 bucket for website static assets

This question follow a previous one, i decided to close that since the code changed a bit and the question did not reflect my actual situation any more.
The problem
I'm trying to deploy an S3 bucket hosting my static website asset and a cloudfront distribution to access it, but the distribution still return a bare csv file for an 'access denied' error:
As this docs page states in the blue Notice alert, I've not made the bucket a website endpoint, this way I can use an OAC to restrict access to its content.
A strange thing is that checking the distribution origin from the web console I see this blue alert, but the copyable policy is the same I found in the bucket permission at the given link.
I have no error during deploy, so it must be a silly configuration error, but it keeps giving me headaches since a week now and I can't figure out what is wrong.
Bucket and object owners corresponds
Since mi website assets are uploaded to the bucket from a different project/pipeline i followed this guide to check if the bucket and the object owners were different but actually corresponds:
> aws s3api list-buckets --query Owner.ID
"3fdbd1e5cad4dd2bbf4c66a3dbaded6b888fdb67ff6aa6e66203a4107fe17b72"
> aws s3api list-objects --bucket my-test-bucket --prefix index.html
{
"Contents": [
{
"Key": "index.html",
"LastModified": "2023-01-20T11:05:38+00:00",
"ETag": "\"52f2df5ddf8c35391f3f15a7614def58\"",
"Size": 325,
"StorageClass": "STANDARD",
"Owner": {
"ID": "3fdbd1e5cad4dd2bbf4c66a3dbaded6b888fdb67ff6aa6e66203a4107fe17b72"
}
}
]
}
CloudFormation template
Resources:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- AppBucket
- CloudFrontDistribution
Properties:
Bucket: !Ref AppBucket
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
Sid: PolicyForCloudFrontPrivateContent
Action: s3:GetObject
Effect: Allow
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
Resource: !Sub arn:aws:s3:::${AppBucket}/*
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
DependsOn:
- AppBucket
- DefaultCachePolicy
- DistributionOAC
Properties:
DistributionConfig:
Enabled: true
Origins:
- Id: AppBucket
DomainName: !GetAtt AppBucket.DomainName
OriginPath: /*
S3OriginConfig: {}
OriginAccessControlId: !Ref DistributionOAC
DefaultRootObject: index.html
DefaultCacheBehavior:
ViewerProtocolPolicy: redirect-to-https
TargetOriginId: AppBucket
CachePolicyId: !Ref DefaultCachePolicy
DistributionOAC:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: ExampleOAC
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
AppBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: 'test-spa-stack-bucket-app'
PublicAccessBlockConfiguration:
BlockPublicAcls : false
BlockPublicPolicy : false
IgnorePublicAcls : false
RestrictPublicBuckets : false
DefaultCachePolicy:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
Name: test-cache-policy
DefaultTTL: 10
MaxTTL: 10
MinTTL: 1
ParametersInCacheKeyAndForwardedToOrigin:
CookiesConfig:
CookieBehavior: none
EnableAcceptEncodingBrotli: true
EnableAcceptEncodingGzip: true
HeadersConfig:
HeaderBehavior: none
QueryStringsConfig:
QueryStringBehavior: none

You aren't to have much luck without using legacy OAI (for no reason).
So, here's a policy you can use for target S3 bucket after you create the OAI right there in Cloudfront:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity INSERT_OAI_NUMBER_HERE"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET_NAME_HERE/*"
}
]
}
After you do that, it should return expected content.
If it does work for you and you start asking why, you'd better find something better to do.

Ok, I found a YT video that worked from cloud console, then I replicated it via CloudFormation stack template.
I think that my problem could be caused from either of these configurations:
bucket encription: I read somewhere (sorry I can't find the exact page) that CloudFront distribution cannot (directly) read bucket objects if encripted with anything different from SSE-S3, and since I omitted that configuration it probably did fallback on a non-compatible configuration
objects ownership: here too I forgot to add the cuket owner enforced policy
distribution accepted http version: here I accepted v.2
working template
Resources:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- AppBucket
- CloudFrontDistribution
Properties:
Bucket: !Ref AppBucket
PolicyDocument:
Id: PolicyForCloudFrontPrivateContent
Version: '2008-10-17'
Statement:
Sid: AllowCloudFrontServicePrincipal
Action: s3:GetObject
Effect: Allow
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
Resource: !Sub arn:aws:s3:::${AppBucket}/*
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
DependsOn:
- AppBucket
- DistributionOAC
- LogsBucket
Properties:
DistributionConfig:
Enabled: true
HttpVersion: http2
Origins:
- Id: AppBucket
DomainName: !GetAtt AppBucket.DomainName
S3OriginConfig: {}
OriginAccessControlId: !Ref DistributionOAC
DefaultRootObject: index.html
DefaultCacheBehavior:
Compress: true
ViewerProtocolPolicy: allow-all
TargetOriginId: AppBucket
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # default CachingOptimized
Logging:
Bucket: !GetAtt LogsBucket.DomainName
IncludeCookies: true
Prefix: distribution/
AppBucket:
Type: 'AWS::S3::Bucket'
DependsOn:
- LogsBucket
Properties:
BucketName: 'test-spa-stack-bucket-app'
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
PublicAccessBlockConfiguration:
BlockPublicAcls : true
BlockPublicPolicy : true
IgnorePublicAcls : true
RestrictPublicBuckets : true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
LoggingConfiguration:
DestinationBucketName: !Ref LogsBucket
LogFilePrefix: app/
DistributionOAC:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: test-spa-distribution-oac
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
LogsBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: 'test-spa-stack-bucket-logs'
PublicAccessBlockConfiguration:
BlockPublicAcls : true
BlockPublicPolicy : true
IgnorePublicAcls : true
RestrictPublicBuckets : true
AccessControl: LogDeliveryWrite
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'AES256'

Can't get S3 notification yaml/stack to work

Everything works perfectly in the code below if run without the 4 lines starting NotificationConfiguration . I thought this might be because of needing the topic policy before setting notification on the bucket. So have tried to do the initial create without the NotificationConfiguration lines and then add these in and update the stack.
But get the error Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; . I've tried things like putting the actual topic arn not using !Ref but no joy. Thanks!
Resources:
DeletionSNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName:
!Join [" ",[Data has been deleted from,!Sub '${ServiceName}-${Stage}-${AWS::AccountId}']
]
Subscription:
- Endpoint: !Sub '${DeleteNotifyEmail}'
Protocol: email
TopicName: !Sub 'delete-from-${ServiceName}-bucket'
DataBucket:
Type: AWS::S3::Bucket
DependsOn: DeletionSNSTopic
Description: Create Amazon S3 bucket from CloudFormation
Properties:
BucketName: !Sub '${ServiceName}-${Stage}-${AWS::AccountId}'
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
NotificationConfiguration:
TopicConfigurations:
- Topic: !Ref DeletionSNSTopic
Event: 's3:ObjectRemoved:*'
BucketToSNSPermission:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'deletionTopicPolicy'
Version: '2012-10-17'
Statement:
- Sid: 'deletionTopic-statement-id'
Effect: Allow
Principal:
Service: s3.amazonaws.com
Action: sns:Publish
Resource: !Ref DeletionSNSTopic
Condition:
StringEquals:
aws:SourceAccount: !Sub '${AWS::AccountId}'
ArnLike:
aws:SourceArn: !Ref DataBucket
Topics:
- !Ref DeletionSNSTopic

You have circular dependency in your code. You create bucket with notifications, before topic policy is applied. Obviously the policy can't be created before the bucket because the bucket must already exist due to !Ref DataBucket.
To solve that the bucket name must be known first, which in your case is possible:
Resources:
DeletionSNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName:
!Join [" ",[Data has been deleted from,!Sub '${ServiceName}-${Stage}-${AWS::AccountId}']
]
Subscription:
- Endpoint: !Sub '${DeleteNotifyEmail}'
Protocol: email
TopicName: !Sub 'delete-from-${ServiceName}-bucket'
DataBucket:
Type: AWS::S3::Bucket
DependsOn: BucketToSNSPermission
Description: Create Amazon S3 bucket from CloudFormation
Properties:
BucketName: !Sub '${ServiceName}-${Stage}-${AWS::AccountId}'
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
NotificationConfiguration:
TopicConfigurations:
- Topic: !Ref DeletionSNSTopic
Event: 's3:ObjectRemoved:*'
BucketToSNSPermission:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'deletionTopicPolicy'
Version: '2012-10-17'
Statement:
- Sid: 'deletionTopic-statement-id'
Effect: Allow
Principal:
Service: s3.amazonaws.com
Action: SNS:Publish
Resource: !Ref DeletionSNSTopic
Condition:
StringEquals:
aws:SourceAccount: !Ref AWS::AccountId
ArnLike:
aws:SourceArn: !Sub "arn:aws:s3:::${ServiceName}-${Stage}-${AWS::AccountId}"
Topics:
- !Ref DeletionSNSTopic
For general case check in:
How do I avoid the "Unable to validate the following destination configurations" error in AWS CloudFormation?

Why does this AWS CloudFormation script throw "Policy contains a statement with one or more invalid principals" error?

I am trying to:
Create a CMK
Create a new bucket that requires/enforces use of that
CMK
Code is from here
AWSTemplateFormatVersion: 2010-09-09
Description: Example template with Customer Master Key and S3 bucket
Resources:
Bucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
SSEAlgorithm: "aws:kms"
CMKAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: "alias/test/cmk"
TargetKeyId: !Ref CMK
CMK:
Type: "AWS::KMS::Key"
Properties:
Description: "My CMK"
Enabled: True
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"
Outputs:
CMKId:
Value: !Ref CMK
CMKArn:
Value: !GetAtt CMK.Arn
CMKAliasArn:
Value: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
Bucket:
Value: !Ref Bucket
The errors are:
The following resource(s) failed to create: [CMK]. . Rollback requested by user.
Policy contains a statement with one or more invalid principals.
(Service: AWSKMS; Status Code: 400;
Error Code: MalformedPolicyDocumentException;
Request ID: zzzzzz-zzzzz-zzzzz)
I believe the issue is with this line:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
I see from intrinsic-function-reference-sub that !Sub is a function to replace values, and I see from pseudo-parameter-reference that ${AWS::AccountId} is a valid pseudo parameter, so I do not understand why that line is failing.
I see from how-to-generate-the-aws-root-account-arn-in-cloudformation that this is considered a valid way in YAML:
!Sub arn:aws:iam::${AWS::AccountId}:root

Your indents are not correct.
Try it as the following:
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"

Cloudformation S3 bucket principal for Cloudfront

I'm trying to create a Yaml template for cloudfront distribution on S3 bucket.
I'm stuck on how to add principal on BucketPolicy.
I want to know how to replace the XXXXXXXXXXX on CloudFront Origin Access Identity XXXXXXXXXXX in principal for a cloudfront that will be generate by deploying the template.
Also is there a way to add the html, css sync procedure (which I'm doing through aws cli now) on yaml template?
Please let me know.
TIA
AWSTemplateFormatVersion: 2010-09-09
Resources:
Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: pridesys.webbucket
AccessControl: Private
WebsiteConfiguration:
IndexDocument: index.html
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Id: ReportPolicy
Version: "2012-10-17"
Statement:
- Sid: "1"
Effect: Allow
Action: "s3:GetObject"
Principal:
AWS: "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
Resource: !Join ['', ['arn:aws:s3:::', !Ref Bucket, '/*']]
Distro:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Origins:
- DomainName: !GetAtt Bucket.DomainName
Id: foo
S3OriginConfig: {}
Enabled: True
DefaultRootObject: index.html
DefaultCacheBehavior:
ForwardedValues:
QueryString: False
TargetOriginId: foo
ViewerProtocolPolicy: allow-all

Here is a valid sample of an S3 origin identity configuration for CloudFront:
WebUIBucket:
Type: AWS::S3::Bucket
CloudFrontOriginIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: "origin identity"
WebUIPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: WebUIBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
CanonicalUser:
Fn::GetAtt: [ CloudFrontOriginIdentity , S3CanonicalUserId ]
Action: "s3:GetObject"
Resource: !Sub "${WebUIBucket.Arn}/*"
WebpageCDN:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub "${WebUIBucket}.s3.amazonaws.com"
Id: webpage
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginIdentity}"
As for the syncing your assets into the S3 bucket, that cannot be provided with CloudFormation functionality. You either have to implement a CustomResource or keep using the CLI.

Thanks a lot #Jens !!
Your solution was a big help. I was getting TargetOriginId & ForwarededValues error while trying to deploy your template.
This is what worked for me -
AWSTemplateFormatVersion: '2010-09-09'
Description: An AWS Serverless Specification template describing your function.
Resources:
WebUIBucket:
Type: AWS::S3::Bucket
CloudFrontOriginIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: "origin identity"
WebUIPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: WebUIBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
CanonicalUser:
Fn::GetAtt: [ CloudFrontOriginIdentity , S3CanonicalUserId ]
Action: "s3:GetObject"
Resource: !Sub "${WebUIBucket.Arn}/*"
WebpageCDN:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub "${WebUIBucket}.s3.amazonaws.com"
Id: webpage
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginIdentity}"
Enabled: True
DefaultRootObject: index.html
DefaultCacheBehavior:
ForwardedValues:
QueryString: False
TargetOriginId: webpage
ViewerProtocolPolicy: allow-all
Transform: AWS::Serverless-2016-10-31

So you will need to have S3 origin Access Identity setup, and use the !GetAtt S3CanonicalUserId
Here is my code and it works
S3CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: A comment to describe the origin access identity. The comment cannot be longer than 128 characters.
StagingCloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: !GetAtt myS3bucket.DomainName
Id: !Ref myS3bucket
S3OriginConfig:
OriginAccessIdentity: !Join ['', ['origin-access-identity/cloudfront/', !Ref S3CloudFrontOriginAccessIdentity]]
myS3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref myS3bucket
PolicyDocument:
Id: myS3bucketPolicy
Version: 2012-10-17
Statement:
- Sid: PutObjectAccess
Effect: Allow
Principal:
CanonicalUser:
Fn::GetAtt: [ S3CloudFrontOriginAccessIdentity, S3CanonicalUserId ]
Action:
- s3:GetObject
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref myS3bucket
- /*

How do you set SSE-S3 or SSE-KMS encryption on S3 buckets using Cloud Formation Template?

I'm trying to use a CloudFormation Template to spin up an S3 Bucket in AWS. One of the requirements for this project is that the bucket be encrypted in place. I've been trying to find a way to set that up via CloudFormation Template (I've read all the documentation I can get my hands on for SSE-S3, KMS, CFT and S3s...). But all signs seem to point to it only being available via the console.
I'm worried I'm just missing something obvious and I wondered if anyone knew how I could use CloudFormation Template(or at least something automated) to set the default encryption of an S3 Bucket to SSE-S3 or SSE-KMS?

AWS added this feature on January 24th, 2018:
Use the BucketEncryption property to specify default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket.
JSON
{
"Resources": {
"MyBucket": {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
}
}
}
YAML
Resources:
MyBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-bucketencryption.html

If you have a specific KMS key use the following
ConfigBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: "mytestbucketwithkmsencryptionkey"
AccessControl: PublicRead
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: "YOUR KMS KEY ARN"

You can also use ForceEncryption option as well:
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with
Resources:
CodeFlexS3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]
ForceEncryption:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CodeFlexS3Bucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "aws:kms"
DependsOn: CodeFlexS3Bucket
Taken from here: Creating S3 Bucket with KMS Encryption via CloudFormation