Alright, I've run into a weird issue - I have a series of .unity3d files on Cloudfront via an S3 bucket, as well as test images, and a .unity3d.zip version of one of the files. The .unity3d files result in an "Access Denied", but the images and unity3d.zip file download just fine.
What's going on, and can I fix it, or must I append/trim .zip to all my unity3d files?
So, turns out, this is a mis-diagnosis, related to the exotic file extension. When a ".../file.unity3d" address is entered into the address bar of Chrome, it does not replace the webpage previously loaded. If that previous load was an Access Denied, you'll still see it.
In more detail:
If you have a malformed URL (a typo, say), OR if you have a restricted access file on S3, you get an Access Denied.
And if you have a file the browser doesn't know how to open, it will not update the webpage
So, if you (as I) first visit an address that generates an Access Denied, and then visit a valid address with, say, a unity3d file, in the same tab, it will appear as though the unity3d address generates another Access Denied, when it doesn't, making the valid address appear invalid.
You can more easily see what's going on via curl in the command line.