How do I troubleshoot 403 errors from CloudFront?

3 minute read

I’m using Amazon CloudFront to serve content. My users are receiving an HTTP 403 errors with the messages “The request could not be satisfied” or “Access Denied.” How can I troubleshoot this?

Resolution

An alternate CNAME is incorrectly configured

To use an alternate CNAME instead of the default CloudFront URL:

Add the CNAME in your CloudFront distribution configuration.
Create a CNAME record in your DNS to point the CNAME to CloudFront distribution URL.

If you create the DNS record but don't add the CNAME in your CloudFront distribution configuration, then the request returns a 403 error. For instructions on configuring a custom CNAME, see Using custom URLs by adding alternate domain names (CNAMEs).

AWS WAF is configured on CloudFront distribution or at the origin

CloudFront can't distinguish between an HTTP status code 403 that’s returned by your origin and one that's returned by AWS WAF when a request is blocked.

To find the source of the 403 status code, check your AWS WAF web access control list (ACL) rule for a blocked request. For more information, see Testing web ACLs.

A custom origin is returning the 403 error

A 403 error might be caused by an AWS WAF or custom firewall configuration made at the origin. To troubleshoot, make the request directly to the origin. If you can replicate the error without CloudFront, then the origin is causing the 403 error.

If the error is caused by the custom origin, then check the origin logs to identify what might be causing the error.

An Amazon S3 origin returning 403 error

Based on your Amazon Simple Storage Service (Amazon S3) as origin configuration, see the following for troubleshooting:

I’m using an S3 website endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

I’m using an S3 REST API endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

The error is caused by a signed URL or signed cookies configuration

If you have Restrict viewer access turned on for your CloudFront’s behavior configuration, then requests made without using signed cookies or URL result in a 403 error.

For more information about configuring signed cookies and signed URLs, see Serving private content with signed URLs and signed cookies

For troubleshooting steps, see How do I troubleshoot issues related to a signed URL or signed cookies in CloudFront?

Topics

Networking & Content Delivery

Relevant content

CloudFront CNAME already exists error
Accepted Answer
Aleksei
asked 3 months ago
403 in CloudFront when using CNAME from customer domain.
user-4564135734
asked 5 months ago
CloudFormation and cloudfront CNAME
LordVee
asked a year ago
Error adding alternate domain to CloudFront distribution
sjonama
asked a year ago
CloudFront alternate domain name Certificates
Accepted Answer
AWS-User-6336697
asked 4 years ago
How can I configure CloudFront to serve my content using an alternate domain name over HTTPS?
AWS OFFICIALUpdated 10 months ago
How do I resolve the CNAMEAlreadyExists error when I set up a CNAME alias for my CloudFront distribution?
AWS OFFICIALUpdated 6 months ago
How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?
AWS OFFICIALUpdated 4 months ago
How do I resolve "403 ERROR - The request could not be satisfied. Bad Request" in CloudFront?
AWS OFFICIALUpdated 2 months ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published 2 months ago