How do I troubleshoot 403 errors from CloudFront?

4 minute read

I'm using Amazon CloudFront to serve content. My users are receiving an HTTP 403 errors with the messages "The request could not be satisfied” or "Access Denied."

Resolution

The domain name isn't associated with an alternate domain name (CNAME) on a distribution

If you create a Domain Name System (DNS) but don't add a CNAME in your CloudFront distribution configuration, then CloudFront returns a 403 error. This occurs even if the CNAME is redirected towards CloudFront at the DNS level.

To use a CNAME instead of the default CloudFront URL, follow the instructions for Adding an alternate domain name.

For more information, see Using custom URLs by adding alternate domain names (CNAMEs).

CloudFront geographic restrictions were configured on the distribution

CloudFront geographic restrictions can prevent users in specific countries from accessing your content. If geographic restrictions cause the error, then the 403 response contains a message similar to: "The Amazon CloudFront distribution is configured to block access from your country." Also, the response header Server: CloudFront is present. The corresponding CloudFront access log entry contains ClientGeoBlocked as the value for x-edge-detailed-result-type.

For more information, see Restricting the geographic distribution of your content.

AWS WAF is configured on the CloudFront distribution and is blocking the request

If you use AWS WAF to monitor forwarded requests and the requested content doesn't match the specified conditions, then the content is blocked by WAF. You receive a 403 error. In this case, the error contains a message similar to: "Request blocked. We can't connect to the server for this app or website at this time." The Server response header contains CloudFront as the value. The corresponding access log entry has Error as the value for x-edge-detailed-result-type.

The same error message and a response header value of Cloudfront might be present when the reason the request is blocked isn't AWS WAF. To confirm that the request is blocked by AWS WAF and identify the rule that blocked it, check the AWS WAF logs for the blocked request. Or, check the AWS WAF CloudFront metrics for the relevant WebACL. Then, check the WebACL to see the rules that are blocked. For more information, see Testing and tuning your AWS WAF protections.

An Amazon S3 origin is returning a 403 error

Based on your Amazon Simple Storage Service (Amazon S3) as origin configuration, see the following for troubleshooting:

I’m using an S3 website endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

I’m using an S3 REST API endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

A custom origin is returning the 403 error

A 403 error can be returned by an origin due to an application firewall or other reason at the custom origin. If the response contains a Server header without the value CloudFront, then the error might be returned from the custom origin.

To determine if the error is returned from the custom origin, check the origin HTTP access logs.

If you're not able to check the origin HTTP access logs, use the following troubleshooting methods:

Check CloudFront access logs. If the time-taken field for the blocked request is significantly lesser than the average of the time-taken field, then the response might not have come from the origin. A low value in the time-taken field indicates that a response was sent from edge location.
Make the request directly to the origin. If you can replicate the error without going through CloudFront, then the origin might be returning the 403 error.

The error is caused by a signed URL or signed cookies configuration

If you have Restrict viewer access turned on for your CloudFront’s behavior configuration, then requests made without using signed cookies or URL result in a 403 error.

For more information about configuring signed cookies and signed URLs, see Serving private content with signed URLs and signed cookies.

For troubleshooting steps, see How do I troubleshoot issues related to a signed URL or signed cookies in CloudFront?

The distribution with viewer protocol policy not configured for HTTP and HTTPS

If the HTTP request is sent to a distribution with Viewer Protocol Policy setting of HTTPS only, then the request can return a 403 error.

For more information, see Requiring HTTPS for communication between viewers and CloudFront.

Topics

Networking & Content Delivery

Relevant content

CloudFront alternate domain name Certificates
Accepted Answer
AWS-User-6336697
asked 5 years ago
How a CloudFront distribution with empty alternate domain name works correctly?
AWS-User-4611435
asked 9 months ago
Cloudfront signed urls with alternative domain name
Accepted Answer
Petar Tahchiev
asked 6 months ago
Assigning a Cloudfront Distribution ( Account A) an alternate domain name which is a subdomain of an already registered Domain in another Account (Account B)
Accepted Answer
Mahmoud
asked 15 days ago
Restrict Cloudfront Distribution domain name
bgbs
asked 10 months ago
How do I troubleshoot HTTP 403 Forbidden errors from an API Gateway custom domain name that requires mutual TLS?
AWS OFFICIALUpdated 5 months ago
How can I configure CloudFront to serve my content using an alternate domain name over HTTPS?
AWS OFFICIALUpdated 2 years ago
Why isn't CloudFront serving my domain name over HTTPS?
AWS OFFICIALUpdated a year ago
How can I resolve the "CNAMEAlreadyExists" error when I create an edge-optimized custom domain name for my API Gateway API?
AWS OFFICIALUpdated 2 years ago
Troubleshoot null_pointer_exception during remote reindexing in OpenSearch VPC domains
EXPERT
Cathy W
published 2 months ago