Can't access through S3 to files updated through CloudFront

Question

I was using Cloud-Front to access files in my S3 bucket and update the files. I disable Cloud-Front now, however i cannot access those files directly through S3 now.

<

Answer 1

I had the same problem: Files created with Origin Access Identity weren't readable by the host account (or any user accounts) and couldn't be accessed via CLI, Lambda or the Console.

Solution

My solution was to set a header on the client request that allows control of the files by the bucket owner.

x-amz-acl=bucket-owner-full-control

This shouldn't require changes to your Cloudfront distribution. All x-amz-* headers should be passed through automatically.

I complemented this solution with a bucket policy that requires this header. So, people can't hack my client and upload files that I can't manage. The following is added to the policy statement object allowing s3:PutObject by the Origin Access Identity:

"Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": [
                        "bucket-owner-full-control"
                    ]
                }
            }

Explanation

The cause is described in Managing Access with ACLs.

For example, if a bucket owner allows other AWS accounts to upload objects, permissions to these objects can only be managed using object ACL by the AWS account that owns the object.

The only way I found to manage ACLs created by the Origin Access Identity is to set the x-amz-acl header at object creation time.