CloudFront does not seem to invoke lambda@edge function


I have a CloudFront distribution. The origin is an S3 object that uses OAI.

I have created a lambda@edge function following directions from

Basically, I want the lambda@edge function to redirect URLs ending in / to /index.html. Acting like Apache DirectroyIndex.

The CloudFront distribution works for URLs without the redirect requirement. But CloudFront does not seem to invoke my lamba@edge function.

I have ensured, there is a correct association between the CloudFront distribution and the labda@edge function version.

I made several test requets:

 curl -I
HTTP/2 403 
content-type: application/xml
date: Sat, 19 Feb 2022 14:35:38 GMT
server: AmazonS3
x-cache: Error from cloudfront
via: 1.1 (CloudFront)
x-amz-cf-pop: EWR53-C2
x-amz-cf-id: leub-Kgu4Bh9xH4Rn5o7bxs62B1NBO4ViEu6hv-_xtGG7DSQlBFEXw=

I get 403. I did not find any lambda@edge logs in any region.

What could be the issue? How do I go about finding it?

asked 2 years ago820 views
2 Answers

A 403 error is a permissions issue. Check if the the IAM role attached to your Lambda@Edge function can be assumed by the service principals and Here's a documentation for details:

profile picture
answered 2 years ago
  • The Lambda@Edge function has the principals:

        "Version": "2012-10-17",
        "Statement": [
                "Sid": "",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                "Action": "sts:AssumeRole"


I see that you are having issues with CloudFront not invoking your Lambda@Edge function. It is important to note the HTTP 403 error you are getting, which indicates a permissions error.

You stated that the CloudFront distribution works correctly when your Lambda@Edge is not called, which indicates that this 403 error is a result of misconfigured IAM permissions of the Lambda@Edge function.

It appears from your response that your Trust Policy for the Lamda@Edge function is correctly configured, which leaves the execution role you specified upon creation of the Lamda@Edge function.

You should select "Create a new role from AWS policy templates", and then select "Basic Lambda@Edge permissions (for CloudFront trigger)" Policy template to correctly configure the IAM permissions for the Lamda@Edge function.

Hope this helps!

For reference:

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions