amazon web services - Receive AccessDenied when trying to access a page via the full url on my website

ID : 131340

viewed : 8

Tags : access-denied

Top 5 Answer for amazon web services - Receive AccessDenied when trying to access a page via the full url on my website

vote vote

94

I have figured it out and wanted to post my solution in case anyone else runs into this issue.

The issue was due to Angular being a SPA (Single Page App) and me using an S3 bucket to store it. When you try to go to a specific page via url access, CloudFront will take (for example, /about) and go to your S3 bucket looking for that file. Because Angular is a SPA, that file doesn't technically exist in your S3 bucket. This is why I was getting the error.

What I needed to do to fix it

If you open your distribution in Cloudfront, you will see an 'Error Pages' tab. I had to add two 'Custom Error Responses' that handled 400 and 403. The details are the same for 400 and 403, so I only include a photo for 400. See below: enter image description here

enter image description here

Basically, what is happening is you are telling Cloudfront that regardless of a 400 or 403 error, to redirect back to index.html, thus giving control to Angular to decide if it can go to the path or not. If you would like to serve the client a 400 or 403 error, you need to define these routes in Angular.

After setting up the two custom error responses, I deployed my cloudfront solutions and wallah, it worked!

I used the following article to help guide me to this solution.

vote vote

84

The better way to solve this is to allow list bucket permission and add a 404 error custom rule for cloudfront to point to index.html. 403 errors are also returned by WAF, and will cause additional security headaches, if they are added for custom error handling to index.html. Hence, better to avoid getting 403 errors from S3 in the first place for angular apps.

vote vote

71

If you have this problem using CDK you need to add this :

MyAmplifyApp.addCustomRule({   source: '</^[^.]+$|\.(?!(css|gif|ico|jpg|js|png|txt|svg|woff|ttf|map|json)$)([^.]+$)/>',   target: '/index.html',   status: amplify.RedirectStatus.REWRITE }); 
vote vote

66

The accepted answer seems to work but it does not seem like a good practice. Instead check if the cloudfront origin is set to S3 Bucket(in which the static files are) or the actual s3 url endpoint. It should be the s3 url endpoint and not the s3 bucket.

The url after endpoint should be the origin

enter image description here

vote vote

56

Add a Cloudfront function to rewrite the requested uri to /index.html if it doesn't match a regex.

For example, if none of your SPA routes contain a "." (dot), you could do something like this:

function handler(event) {     var request = event.request     if (/^(?!.*\..*).*$/.test(request.uri)) {         request.uri = '/index.html'     }     return request } 

This gets around any kind of side effects you would get by redirecting 403 -> index.html. For example, if you use a WAF to restrict access by IP address, if you try to navigate to the website from a "bad IP", a 403 will be thrown, but with the previously suggested 403 -> index.html redirect, you'd still see index.html. With a cloudfront function, you wont.

Top 3 video Explaining amazon web services - Receive AccessDenied when trying to access a page via the full url on my website

Related QUESTION?