From 5884676518286558be045ebb5ac683e56550f8cc Mon Sep 17 00:00:00 2001
From: rspitler <rspitler@gmail.com>
Date: Thu, 17 Jun 2021 13:44:08 -0400
Subject: [PATCH] Add policy statement to allow CloudFront OriginAccess
 Identity to listBucket.  This means that when a unknown object is requested
 it returns a 404 instead of a 403.  For SPA hosted by CloudFront this allows
 for the custom error logic to serve the SPA instead of a 404 page for a
 logical route.

---
 templates/cloudfront-site.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/templates/cloudfront-site.yaml b/templates/cloudfront-site.yaml
index 6feae08..e321666 100644
--- a/templates/cloudfront-site.yaml
+++ b/templates/cloudfront-site.yaml
@@ -49,6 +49,12 @@ Resources:
             Resource: !Sub '${S3BucketRootArn}/*'
             Principal:
               CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
+          - Action:
+              - s3:ListBucket
+            Effect: Allow
+            Resource: !Sub '${S3BucketRootArn}'
+            Principal:
+              CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
 
   LambdaEdgeFunction:
     DeletionPolicy: Retain