AWS CloudFront returns error NoSuchBucket with it's own domain name as the bucketname

Question

I'm trying to setup Cloudfront to give customers read access to private files in s3 using signed cookies. I'm however getting the error NoSuchBucket and strangely the cloudfront domain as the BucketName. During troubleshooting, I tried to eliminate any possible complication and have now a simple public s3 bucket called "abc" and can access a file I uploaded via http://abc.s3.eu-central-1.amazonaws.com/test.txt . For the distribution, I also made it as simple as possible - I selected the s3 bucket, but left all other settings as default. The domain name is dxyz.cloudfront.net. The only other thing I did was to create a Origin access identity and added a bucket policy:

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EFG"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::abc/*"
        }
    ]
}

EFG being the ID of the OAI.

The error is

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>NoSuchBucket</Code>
    <Message>The specified bucket does not exist</Message>
    <BucketName>dxyz.cloudfront.net</BucketName>
    <RequestId>F123</RequestId>
    <HostId>random_characters</HostId>
</Error>

the bucket is setup eu-central-1 - just in case that matters.

Any ideas, any hints?

thanks

Answer 1

I had the same problem. Following Michael's suggestion in his comment I switch to legacy caching, and left everything default so only GET/HEAD were cached. Totally resolved the issue

Answer 2

I would like to highlight the comment from @Michael-sqlbot which points out the root cause:

The issue is most probably caused because you're not whitelisting the "Host" header in your 'Cache' policy.

This can be configured in CloudFront > Policies > Cache by editing the desired cache policy.