Get Hands-on with Amazon EKS - Workshop Event Series

Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!

How do I troubleshoot CloudFront "HTTP 403" errors?

4 minute read

I use Amazon CloudFront to deliver my content, but my viewers receive "HTTP 403" errors.

Resolution

To troubleshoot CloudFront "HTTP 403" errors, complete the following actions based on your distribution configuration.

Associate the domain name with a CNAME on the distribution

If you use DNS to point your custom domain name to your distribution but don't add an alternate domain name (CNAME), then check your configuration. CloudFront returns a "403" error if you don’t add a CNAME, even if the CNAME redirects towards CloudFront at the DNS level.

To use a CNAME instead of the default CloudFront URL, follow the instructions to add an alternate domain name. For more information, see Alternate CNAME is incorrectly configured.

Check your CloudFront geographic restriction settings

CloudFront geographic restrictions can prevent access to your content for users in specific countries. Check your geographic restriction settings to allow or deny access to your CloudFront distribution.

For more information, see How do I use CloudFront geographic restrictions to control access to my web content?

Review your AWS WAF rules configuration

If you misconfigure your AWS WAF rules, then you might get a "403" error.

To resolve this issue, see How do I resolve the "403 Error - The request could not be satisfied. Request Blocked" error in CloudFront?

An Amazon S3 origin returned a "403" error

Based on your Amazon Simple Storage Service (Amazon S3) origin endpoint configuration, see the following articles:

Why do I get a "403 access denied" error when I use an Amazon S3 website endpoint as the origin of my CloudFront distribution?

Why do I get "403 Access Denied" errors when I use an S3 REST API endpoint as the origin of my CloudFront distribution?

Note: If you specified an origin path on your S3 origin, then make sure that the S3 origin path match the CloudFront URI path characters exactly.

A custom origin returned a "403" error

A custom origin might return a "403" error because of an application firewall or misconfigured setting from the origin server.

To verify that the error's returned from the custom origin, check the origin HTTP access logs.

If you can't check the origin HTTP access logs, then take the following actions:

Check the CloudFront access logs. If the time-taken field for the request is less than the average of the time-taken field, then the response might not be from the origin. A low value in the time-taken field shows that an edge location sent the response.
Make the request directly to the origin instead of through CloudFront. If you can replicate the error, then the origin might have returned the "403" error.
If the response includes a server header without the value CloudFront, then a custom origin might return the error.

A signed URL or signed cookies misconfiguration caused the "403" error

If you have Restrict viewer access turned on for your CloudFront distribution's behavior configuration, then make sure that you use signed URLs and signed cookies. For more information, see Serve private content with signed URLs and signed cookies.

To troubleshoot further, see How do I troubleshoot "403 Access Denied" errors related to a signed URL or signed cookies in CloudFront?

A chained distribution returned a "403" error

If you have two or more distributions within a chain of requests to the origin endpoint, then CloudFront returns a 403 error. It's a best practice to not place one distribution in front of another.