By using AWS re:Post, you agree to the Terms of Use

Connecting Cloudfront to Lambda Function Url Always Result in forbidden


I have setup a lambda function url and cloudfront system

  1. Lambda Function Url is straight forward, a function that will return an image or a json value
  2. Cloudfront using this setting:
    • Origins:
      • Origin Domain: {LAMBDA FUNCTION URL}
      • Protocol: HTTPS only - TLSv1
      • Enable Origin Shield: No
    • Behavior:
      • Viewer: Redirect HTTP to HTTPS
      • Allowed HTTP Method: GET, HEAD
      • Restrict Viewer Access: No
      • Cache Policy: Managed-CachingDisabled
      • Origin request policy: AllViewer

The result however always return 403 Forbidden with this body

{ "Message": null }

And this header

X-cache: Error from cloudfront
x-amzn-ErrorType: AccessDeniedException

Is there any setting that I missed that cause this error? I already test direct hit using postman and browser to the function url an it works fine

2 Answers
Accepted Answer

Thanks for the detailed description. You are getting 403 Forbidden due to the origin request policy AllViewer being used. In this case, when you access the website via CloudFront URL, the Host header similar to will be forwarded to the Lambda which will not be recognized, resulting in 403.

The solution is to create your custom origin request policy and only forward the necessary values (but not the Host header.)

answered a month ago
  • Thank you, it works so well, for my case, I also need to also forward origin and user-agent but it is because of my lambda function code.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions