🚀 # Fixing AWS S3 ‘Access Denied’ in CloudFront Deployments: My 2AM Security Debugging Journey

---

---

🌙 It’s 2 AM

I’m staring at my screen, a bottle of water by my side, while my S3 bucket keeps throwing "Access Denied" errors like shredded paper. My portfolio was supposed to be live hours ago, but AWS had other plans.

I had taken on what seemed like a simple challenge:

🎯 Deploy a static website using S3 and CloudFront.

With a clear vision, solid HTML/CSS skills, and a gut feeling that I’d wrap it up by dinner, I was so wrong.

---

🧩 Where AWS Humbled Me

Think of it like building the ultimate children’s toy room:

• S3 bucket → A massive toy chest storing everything

• Block Public Access + IAM policies → Crucial childproof locks (when configured correctly!)

• CloudFront → The magical system that delivers any toy anywhere in the house

Seems simple, until AWS security enters the chat.

---

💡 The Midnight Struggle That Taught Me Everything

Those Block Public Access settings became my nemesis.

✔️ Four innocent checkboxes ✔️ Infinite ways to mess them up

I tried every combination: ☑️ Tick this ☑️ Untick that 🧾 Adjust the bucket policy 🔁 Refresh...

But still , Access Denied.

At my lowest, I even questioned whether I was cut out for this.

Then it hit me:

🔥 AWS security isn’t about shortcuts , it’s about understanding why each layer exists.

---

⚙️ The Breakthrough Moment

I slowed down. I mapped out how Block Public Access, IAM policies, and CloudFront origins interact.

I got the syntax right. I aligned the policies.

💥 Boom , my site finally loaded through CloudFront with HTTPS.

That wasn’t just a fix , it was a snapshot of real cloud engineering in action.

---

🔧 What I Actually Built

• ✅ Static website on S3 with proper index/error routing

• ✅ Balanced Block Public Access settings + precise IAM policies

• ✅ CloudFront distribution with custom origins, caching, and SSL

• ✅ Versioning & lifecycle rules for cost-optimized storage

• ✅ Manual teardown process to avoid unnecessary AWS charges

---

📸 AWS S3 & CloudFront Security Architecture Diagram

---

🔐 Key Fixes Implemented

• Configured IAM policies to allow access to CloudFront

• Adjusted Block Public Access settings to align with intended permissions

• Fine-tuned CloudFront origin access

• Added bucket policies for secure, granular access control

---

🎓 The Real Lesson

This wasn’t just about hosting files, it was a lesson in:

• AWS security fundamentals

• Performance tuning using CloudFront

• Cost control through lifecycle and versioning policies

Now, whether someone visits from Germany or the house next door... ⚡ My site loads fast, securely, and globally.

Those 2 AM errors? 💡 Not failures, foundational lessons.

---

❓ Frequently Asked Questions (FAQ)

🔹 What causes “Access Denied” in AWS S3? Most often: misconfigured Block Public Access, missing bucket policies, or insufficient IAM permissions.

🔹 How do I serve a static site using CloudFront? Host files in S3 → configure for website hosting → set permissions → connect to CloudFront with HTTPS.

🔹 Can I keep my S3 bucket private but still serve content? Yes. Use OAC (or legacy OAI) to restrict direct S3 access and only allow CloudFront to serve content securely.

---

📂 Code + Full Breakdown

🔗 [https://github.com/OluwatosinOsho/aws-static-website-s3-cloudfront]

---

🎯 Next Challenge

Implementing CI/CD automation + Origin Access Control (OAC) for even tighter security.

---

💬 Have You Faced a Cloud Challenge Like This?

🔥 Ever battled an AWS or DevOps issue that kept you up at night? Drop your toughest challenge in the comments, I’d love to hear your story.

---

🚀 The journey from zero to cloud continues , one breakthrough at a time.