One of common mistakes that people usually made when creating CloudFront distribution for S3 bucket is that they in "Origin" field just select their S3 bucket. That is not right approach, if you are using
index.html documents in your sub-directories.
Every time somebody tries to open URL that ends with '/', for example '/tags/' or '/example/', he will get "Access denied" error and not
index.html in requested directory. In CloudFront, there is "root document" setting, but it works only for root directory, not for sub-directories (in S3 this works for both).
Instead of simply selecting your S3 bucket in 'origin' field, just paste URL that points to your bucket, that looks something like this:
[your bucket name].s3-website-us-east-1.amazonaws.com
This way CloudFront will look for files using S3 bucket URL and S3 will serve those directory URL's correctly.
It took me a while to figure this first time. Most search results about "Access denied" with S3 and CloudFront point to articles and AWS documentation about AWS policy documents.