Note from the year 2025: This is not really recommended anymore, its better to use CloudFront origin access control (OAC) and keep your buckets private.
My CloudFront distribution was doing a 307 redirect to my S3 regional endpoint and the S3 regional endpoint was then failing with a 403 Access Denied.
example.com -> 307 redirect > s3-example-test.ap-southeast-2.s3.amazonaws.comBit of background, I was deploying a new S3 bucket with CloudFront for static website hosting (mostly to host some css/js files for a lambda being called via API Gateway). The bucket was in ap-southeast-2 (note if I was using us-east-1 this wouldn’t be an issue), I was re-using an infrastructure as code template which was setting the default origin as the default S3 endpoint (s3.amazonaws.com) rather then adding the regional endpoint.
First issue was I had a bucket policy to allow read access from my CloudFront distribution, that was causing my 403 Access Denied issue but for the 307 redirection error, I struggled to find a solution in the AWS documentation or my Google fu wasn’t working that day so naturally reached out to AWS Support.
Basically the solution was to update the origin to use the ap-southeast-2 S3 endpoint or just wait 24 hours. My case was set low priority and they got back to me about 12 hours later with the following:
After you create an Amazon S3 bucket, it may take up to 24 hours for the bucket name to propagate across all AWS Regions. During this time, you might receive the “307 Temporary Redirect” response for requests to regional endpoints that aren’t in the same Region as the S3 bucket.
https://docs.aws.amazon.com/AmazonS3/latest/dev/Redirects.html#TemporaryRedirection
and…
If you’re using an Amazon CloudFront distribution with an Amazon S3 origin, CloudFront forwards requests to the default S3 endpoint (s3.amazonaws.com), which is in the us-east-1 Region. If you must access Amazon S3 within the first 24 hours of creating the bucket, you can change the Origin Domain Name of the distribution to include the regional endpoint of the bucket. For example, for your distribution the bucket is in ap-southeast-2, you can change the Origin Domain Name from s3-example-test.s3.amazonaws.com to s3-example-test.s3-ap-southeast-2.amazonaws.com.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-http-307-response
Since the S3 bucket was new and I tried to access it with CloudFront using the default S3 endpoint, it’ll take 24 hours before it’s fully functional, but since 24 hours has past my distribution is fully functional now.
If you need S3 website hosting working straight away with CloudFront the simple workaround, use the regional endpoint!
This blog was originally published on November 21, 2020, and has since been republished.
