HTTP 403 status code (Permission Denied)
An HTTP 403 error means the client isn't authorized to access the requested resource. The client understands the request, but can't authorize viewer access. The following are common causes when CloudFront returns this status code:
Topics
- Alternate CNAME is incorrectly configured
- AWS WAF is configured on CloudFront distribution or at the origin
- Custom origin returns a 403 error
- Amazon S3 origin returns a 403 error
- Geographic restrictions return a 403 error
- Signed URL or signed cookie configuration returns a 403 error
- Stacked distributions cause a 403 error
Alternate CNAME is incorrectly configured
Verify that you specified the correct CNAME for our distribution. To use an alternate CNAME instead of the default CloudFront URL:
-
Create a CNAME record in your DNS to point the CNAME to CloudFront distribution URL.
-
Add the CNAME in your CloudFront distribution configuration.
If you create the DNS record but don't add the CNAME in your CloudFront distribution configuration, then the request returns a 403 error. For more information about configuring a custom CNAME, see Use custom URLs by adding alternate domain names (CNAMEs).
AWS WAF is configured on CloudFront distribution or at the origin
When AWS WAF sits between the client and CloudFront, CloudFront can't distinguish between a 403 error code that’s returned by your origin and a 403 error code that's returned by AWS WAF when a request is blocked.
To find the source of the 403 status code, check your AWS WAF web access control list (ACL) rule for a blocked request. For more information, see the following topics:
Custom origin returns a 403 error
If you're using a custom origin, you might see a 403 error if you have a custom firewall configuration at the origin. To troubleshoot, make the request directly to the origin. If you can replicate the error without CloudFront, then the origin is causing the 403 error.
If the custom origin is causing the error, check the origin logs to identify what might be causing the error. For more information, see the following troubleshooting topics:
Amazon S3 origin returns a 403 error
You might see a 403 error for the following reasons:
-
CloudFront doesn't have access to the Amazon S3 bucket. This can happen if origin access identity (OAI) or origin access control (OAC) isn't enabled for your distribution and the bucket is private.
-
The specified path in the requested URL isn't correct.
-
The requested object doesn't exist.
-
The host header was forwarded with the REST API endpoint. For more information, see HTTP Host header bucket specification in the Amazon Simple Storage Service User Guide.
-
You configured custom error pages. For more information, see How CloudFront processes errors when you have configured custom error pages.
Geographic restrictions return a 403 error
If you enabled geographic restrictions (also known as geoblocking) to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront distribution, blocked users receive a 403 error.
For more information, see Restrict the geographic distribution of your content.
Signed URL or signed cookie configuration returns a 403 error
If you enabled Restrict viewer access for your distribution's behavior configuration, then requests that don't use signed cookies or signed URLs result in a 403 error. For more information, see the following topics:
Stacked distributions cause a 403 error
If you have two or more distributions within a chain of requests to the origin endpoint, CloudFront returns a 403 error. We don't recommend placing one distribution in front of another.