How do I troubleshoot 403 errors from CloudFront?

3 minute read

I’m using Amazon CloudFront to serve content. My users are receiving an HTTP 403 errors with the messages “The request could not be satisfied” or “Access Denied.” How can I troubleshoot this?


An alternate CNAME is incorrectly configured

To use an alternate CNAME instead of the default CloudFront URL:

  1. Add the CNAME in your CloudFront distribution configuration.
  2. Create a CNAME record in your DNS to point the CNAME to CloudFront distribution URL.

If you create the DNS record but don't add the CNAME in your CloudFront distribution configuration, then the request returns a 403 error. For instructions on configuring a custom CNAME, see Using custom URLs by adding alternate domain names (CNAMEs).

AWS WAF is configured on CloudFront distribution or at the origin

CloudFront can't distinguish between an HTTP status code 403 that’s returned by your origin and one that's returned by AWS WAF when a request is blocked.

To find the source of the 403 status code, check your AWS WAF web access control list (ACL) rule for a blocked request. For more information, see Testing web ACLs.

A custom origin is returning the 403 error

A 403 error might be caused by an AWS WAF or custom firewall configuration made at the origin. To troubleshoot, make the request directly to the origin. If you can replicate the error without CloudFront, then the origin is causing the 403 error.

If the error is caused by the custom origin, then check the origin logs to identify what might be causing the error.

An Amazon S3 origin returning 403 error

Based on your Amazon Simple Storage Service (Amazon S3) as origin configuration, see the following for troubleshooting:

I’m using an S3 website endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

I’m using an S3 REST API endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

The error is caused by a signed URL or signed cookies configuration

If you have Restrict viewer access turned on for your CloudFront’s behavior configuration, then requests made without using signed cookies or URL result in a 403 error.

For more information about configuring signed cookies and signed URLs, see Serving private content with signed URLs and signed cookies

For troubleshooting steps, see How do I troubleshoot issues related to a signed URL or signed cookies in CloudFront?

AWS OFFICIALUpdated 10 months ago