How do I resolve the "One or more of your origins or origin groups do not exist" error in AWS CloudFormation?

Last updated: 2020-06-19

When I try to create or update an AWS CloudFormation stack that contains an Amazon CloudFront distribution, I get the following error from AWS CloudFormation: "One or more of your origins or origin groups do not exist." How can I resolve this error?

Short description

You get this error from AWS CloudFormation when the TargetOriginId property of CacheBehavior or DefaultCacheBehavior doesn't match a CloudFront origin or origin group ID. This ID is a user-defined string that uniquely identifies an origin or origin group.

Before AWS CloudFormation supported origin groups, you could create an origin group manually and reference the origin group on TargetOriginId. Now, you must define an origin group in the template and manage all your resources through AWS CloudFormation.

Tip: It's a best practice to avoid making changes to stack resources outside of AWS CloudFormation. This can create a mismatch between your stack's template and the current state of your stack resources. If you update or delete the stack, the mismatch can cause errors.


1.    To confirm that the TargetOriginId matches the ID of one of the defined origins or origin groups, enter the correct origin ID as a parameter for DefaultCacheBehavior or CacheBehavior.

In the following example JSON and YAML template snippets, a CloudFront distribution with a single origin is defined and consumed by the DefaultCacheBehavior. Additionally, this origin uses an origin access identity (OAI) for authentication. In the examples, the origin ID is set to my-s3-origin.


    "AWSTemplateFormatVersion": "2010-09-09T00:00:00.000Z",
    "Resources": {
        "cloudfrontdistribution": {
            "Type": "AWS::CloudFront::Distribution",
            "Properties": {
                "DistributionConfig": {
                    "DefaultCacheBehavior": {
                        "ViewerProtocolPolicy": "https-only",
                        "DefaultTTL": 3600,
                        "ForwardedValues": {
                            "Cookies": {
                                "Forward": "none"
                            "QueryString": true
                        "TargetOriginId": "my-s3-origin"
                    "Enabled": true,
                    "Origins": [{
                        "DomainName": "",
                        "Id": "my-s3-origin",
                        "S3OriginConfig": {
                            "OriginAccessIdentity": { "Fn::Sub" : "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}" }

                        "OriginPath": "/my-content"
        "CloudFrontOriginAccessIdentity": {
            "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
            "Properties": {
                "CloudFrontOriginAccessIdentityConfig": {
                    "Comment": { "Ref": "AWS::StackName" }

Note: Replace my-s3-origin with your origin ID. Replace with your domain name. Replace /my-content with your origin path.


AWSTemplateFormatVersion: 2010-09-09
    Type: AWS::CloudFront::Distribution
          ViewerProtocolPolicy: https-only
          DefaultTTL: 3600
              Forward: none
            QueryString: true
          TargetOriginId: my-s3-origin
        Enabled: true
          - DomainName: ''
            Id: my-s3-origin
              OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
            OriginPath: /my-content
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
        Comment: !Sub ${AWS::StackName}

2.    To verify that your AWS CloudFormation stack was created or updated, test your CloudFront distribution.