Trying to get on the SSL bandwagon with a static site on S3? Getting random nonsensical 403s? Here's what you need to do: set the origin for the CloudFront distribution to the static hosting domain for your S3 bucket, NOT the bucket itself! Many thanks to what a n00b! for saving my hair.
Oh, and don't even think about using a 4096-bit key for your SSL certificate. CloudFront only accepts 2048. (And maybe 1024, but don't use that.)
Looking for the place in the AWS Console to upload your certificate? Stop looking. It's not there. Instead, you need to do this:
alex@talos:~# aws iam upload-server-certificate --server-certificate-name some_meaningful_name \ --certificate-body file://path/to/certificate \ --private-key file://path/to/key \ --certificate-chain file://path/to/bundled/cert/file \ --path /cloudfront/whatever_you_want/
That's a doozy, isn't it? Depending on who you got the SSL certificate from, you might not need to specify the certificate chain.