How do I troubleshoot 403 errors from CloudFront?
Last updated: 2022-06-09
An alternate CNAME is incorrectly configured
To use an alternate CNAME instead of the default CloudFront URL:
- Add the CNAME in your CloudFront distribution configuration.
- Create a CNAME record in your DNS to point the CNAME to CloudFront distribution URL.
If you create the DNS record but don't add the CNAME in your CloudFront distribution configuration, then the request returns a 403 error. For instructions on configuring a custom CNAME, see Using custom URLs by adding alternate domain names (CNAMEs).
AWS WAF is configured on CloudFront distribution or at the origin
CloudFront can't distinguish between an HTTP status code 403 that’s returned by your origin and one that's returned by AWS WAF when a request is blocked.
A custom origin is returning the 403 error
A 403 error might be caused by an AWS WAF or custom firewall configuration made at the origin. To troubleshoot, make the request directly to the origin. If you can replicate the error without CloudFront, then the origin is causing the 403 error.
If the error is caused by the custom origin, then check the origin logs to identify what might be causing the error.
An Amazon S3 origin returning 403 error
Based on your Amazon Simple Storage Service (Amazon S3) as origin configuration, see the following for troubleshooting:
The error is caused by a signed URL or signed cookies configuration
If you have Restrict viewer access turned on for your CloudFront’s behavior configuration, then requests made without using signed cookies or URL result in a 403 error.
For more information about configuring signed cookies and signed URLs, see Serving private content with signed URLs and signed cookies
For troubleshooting steps, see How do I troubleshoot issues related to a signed URL or signed cookies in CloudFront?