问题:

Previous question on the same case.

After solving my previous issue, my AWS is set up with the following services.

1. S3 bucket in ap-east-1 without static website hosting.
2. CloudFront HTTPS distribution with a SSL certificate requested from ACM in us-east-1.
3. Alias pointing to the CloudFront distribution in Route 53.

When I try navigating to the distribution endpoint using the alias configured in Route 53, it always returns InvalidAccessKeyId error, and saying that the access key does not exist. The key is always the same for every requests, and is prefixed with AKIA.

I have looked into my IAM console, no users have been created. There are only 2 roles which I believe was auto-created by AWS.

By the way, even if I disable auto-updating S3 bucket policy when creating new CloudFront distribution, my bucket policy will be modified automatically, where the Principal field is set to "AWS": "ADIA...". I have tried replacing it with "CanonicalUser": "<my OAI that the CloudFront distribution is using>", but it will be reverted to "AWS": "ADIA..." several minutes later.

Does anyone know how to tackle this invalid access key error?

Update

I have created another S3 bucket in ap-southeast-1 and carried out the exact same steps by allowing CloudFront generates bucket policy automatically, then configured alias settings in Route 53 console.

Below is the auto-generated bucket policy.

Then, I copy and paste that policy to my original ap-east-1 bucket, the only difference is in the line "AWS": "...", but it doesn't allow me to save it, stating that there is error in the principal.