I'm using Amazon CloudFront to serve content. My users are receiving an HTTP 403 errors with the messages "The request could not be satisfied” or "Access Denied."
The domain name isn't associated with an alternate domain name (CNAME) on a distribution
If you create a Domain Name System (DNS) but don't add a CNAME in your CloudFront distribution configuration, then CloudFront returns a 403 error. This occurs even if the CNAME is redirected towards CloudFront at the DNS level.
CloudFront geographic restrictions were configured on the distribution
CloudFront geographic restrictions can prevent users in specific countries from accessing your content. If geographic restrictions cause the error, then the 403 response contains a message similar to: "The Amazon CloudFront distribution is configured to block access from your country." Also, the response header Server: CloudFront is present. The corresponding CloudFront access log entry contains ClientGeoBlocked as the value for x-edge-detailed-result-type.
AWS WAF is configured on the CloudFront distribution and is blocking the request
If you use AWS WAF to monitor forwarded requests and the requested content doesn't match the specified conditions, then the content is blocked by WAF. You receive a 403 error. In this case, the error contains a message similar to: "Request blocked. We can't connect to the server for this app or website at this time." The Server response header contains CloudFront as the value. The corresponding access log entry has Error as the value for x-edge-detailed-result-type.
The same error message and a response header value of Cloudfront might be present when the reason the request is blocked isn't AWS WAF. To confirm that the request is blocked by AWS WAF and identify the rule that blocked it, check the AWS WAF logs for the blocked request. Or, check the AWS WAF CloudFront metrics for the relevant WebACL. Then, check the WebACL to see the rules that are blocked. For more information, see Testing and tuning your AWS WAF protections.
An Amazon S3 origin is returning a 403 error
Based on your Amazon Simple Storage Service (Amazon S3) as origin configuration, see the following for troubleshooting:
A 403 error can be returned by an origin due to an application firewall or other reason at the custom origin. If the response contains a Server header without the value CloudFront, then the error might be returned from the custom origin.
To determine if the error is returned from the custom origin, check the origin HTTP access logs.
If you're not able to check the origin HTTP access logs, use the following troubleshooting methods:
Check CloudFront access logs. If the time-taken field for the blocked request is significantly lesser than the average of the time-taken field, then the response might not have come from the origin. A low value in the time-taken field indicates that a response was sent from edge location.
Make the request directly to the origin. If you can replicate the error without going through CloudFront, then the origin might be returning the 403 error.
The error is caused by a signed URL or signed cookies configuration
If you have Restrict viewer access turned on for your CloudFront’s behavior configuration, then requests made without using signed cookies or URL result in a 403 error.