Troubleshooting Distribution Issues
Use the information here to help you diagnose and fix access-denied issues or other common issues that you might encounter when working with Amazon CloudFront distributions.
I Can't View the Files in My Web Distribution
If you can't view the files in your CloudFront web distribution, see the following topics for some common solutions.
Did You Sign Up for Both CloudFront and Amazon S3?
To use Amazon CloudFront with an Amazon S3 origin, you must sign up for both CloudFront and Amazon S3, separately. For more information about signing up for CloudFront and Amazon S3, see Getting Started with CloudFront.
Are Your Amazon S3 Bucket and Object Permissions Set Correctly?
If you are using CloudFront with an Amazon S3 origin, the original versions of your content are stored in an Amazon S3 bucket. The easiest way to use CloudFront with Amazon S3 is to make all your objects publicly readable in Amazon S3. To do this, you must explicitly enable public read privileges for each object that you upload to Amazon S3.
If your content is not publicly readable, you must create a CloudFront origin access identity so that CloudFront can access it. For more information about CloudFront origin access identities, see Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content.
Object properties and bucket properties are independent. You must explicitly grant privileges to each object in Amazon S3. Objects do not inherit properties from buckets, and object properties must be set independently of the bucket.
Is Your Alternate Domain Name (CNAME) Correctly Configured?
If you already have an existing CNAME record for your domain name, update that record or replace it with a new one that points to your distribution's domain name.
Also, make sure that your CNAME record points to your distribution's domain name, not your Amazon S3 bucket. You can confirm that the CNAME record in your DNS system points to your distribution's domain name. To do so, use a DNS tool like dig. For information about dig, see http://www.kloth.net/services/dig.php.
The following example shows a dig request for a domain name called
images.example.com and the relevant part of the response. Under
ANSWER SECTION, see the line that contains
CNAME. The CNAME
record for your domain name is set up correctly if the value on the right side of CNAME is
your CloudFront distribution's domain name. If it's your Amazon S3 origin server bucket or some other
domain name, then the CNAME record is set up incorrectly.
[prompt]> dig images.example.com ; <<> DiG 9.3.3rc2 <<> images.example.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15917 ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;images.example.com. IN A ;; ANSWER SECTION: images.example.com. 10800 IN CNAME d111111abcdef8.cloudfront.net. ... ...
For more information about CNAMEs, see Using Alternate Domain Names (CNAMEs).
Are You Referencing the Correct URL for Your CloudFront Distribution?
Make sure that the URL that you're referencing uses the domain name (or CNAME) of your CloudFront distribution, not your Amazon S3 bucket or custom origin.
Do You Need Help Troubleshooting a Custom Origin?
If you need AWS to help you troubleshoot a custom origin, we probably will need to
X-Amz-Cf-Id header entries from your requests. If you are not
already logging these entries, you might want to consider it for the future. For more
information, see Requirements and Recommendations for Using Amazon EC2 and
Other Custom Origins. For further help, see the AWS Support Center.
I Can't View the Files in My RTMP Distribution
If you can't view the files in your RTMP distribution, are your URL and your playback client correctly configured? RTMP distributions require you to use an RTMP protocol instead of HTTP, and you must make a few minor configuration changes to your playback client. For information about creating RTMP distributions, see Task List for Streaming Media Files Using RTMP.
Error Message: Certificate: <certificate-id> Is Being Used by CloudFront
Problem: You're trying to delete an SSL/TLS certificate from the IAM certificate store, and you're getting the message "Certificate: <certificate-id> is being used by CloudFront."
Solution: Every CloudFront web distribution must be associated either with the default CloudFront certificate or with a custom SSL/TLS certificate. Before you can delete an SSL/TLS certificate, you must either rotate the certificate (replace the current custom SSL/TLS certificate with another custom SSL/TLS certificate) or revert from using a custom SSL/TLS certificate to using the default CloudFront certificate. To do that, perform the procedure in the applicable section: