Introduction

CloudFront returns 403 when origin access identity is misconfigured or S3 bucket policy denies access. This guide provides step-by-step diagnosis and resolution with specific commands and configuration examples.

Symptoms

Typical symptoms and error messages when this issue occurs:

bash
HTTP 403 Forbidden
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>ABC123</RequestId>

Observable indicators: - CDN returns errors to end users - Content not being cached as expected - SSL or security configuration issues

Common Causes

  1. 1.CloudFront issues are commonly caused by:
  2. 2.Origin access identity or S3 bucket policy misconfiguration
  3. 3.Cache behavior TTL settings preventing caching
  4. 4.Origin server unreachable or returning invalid responses
  5. 5.Geo restriction or signed URL misconfiguration

Step-by-Step Fix

Step 1: Check Current State

bash
aws cloudfront get-distribution --id <distribution-id>

Step 2: Identify Root Cause

bash
aws cloudfront list-invalidations --distribution-id <id>

Step 3: Apply Primary Fix

bash
# CloudFront OAI S3 bucket policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudFrontAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI-ID>"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Apply this configuration in the CDN dashboard or via API.

Step 4: Apply Alternative Fix (If Needed)

bash
# Alternative fix: adjust TTL
Edge-Cache-TTL: 3600
Stale-While-Revalidate: 86400

Step 5: Verify the Fix

After applying the fix, verify with:

bash
curl -I https://<distribution>.cloudfront.net/test | grep -E "X-Cache|X-Amz-Cf"

Expected output should show proper caching headers and successful content delivery.

Common Pitfalls

  • S3 bucket policy not updated for OAI
  • Cache behavior path pattern incorrect
  • Origin timeout too short for large file uploads
  • Signed URL expired before user access

Best Practices

  • Use Origin Shield to reduce origin load
  • Configure appropriate cache behaviors
  • Use Lambda@Edge for dynamic content
  • Enable real-time logs for debugging
  • CloudFront 403 Access Denied
  • CloudFront Cache Hit Not Happening
  • CloudFront Origin Timeout
  • CloudFront Signed URL Expired