If you're reading this over HTTPS on your own domain, the certificate, the distribution, and the bucket policy are all wired up correctly.
Open /deep/route/test — no such key exists
in the bucket. If this page renders instead of an XML error, your 403/404
→ /index.html rewrite is working. If you get
AccessDenied, the custom error responses aren't configured.
Then hard-reload to confirm it survives a cold cache.