Last updated: 2023-01-20
Amazon CloudFront is returning the error message «403 Error — The request could not be satisfied. Request Blocked.»
Short description
The error message «403 Error — The request could not be satisfied. Request Blocked.» is an error from the client. This error can occur due to the default actions of AWS WAF rules associated with the CloudFront distribution. The following settings might cause a Request Blocked error:
- When the default action is set to Allow, the request matches a rule that has Action set to Block.
- When the default action is set to Block, the request matches the conditions of a rule that has Action set to Block.
-or- - When the default action is set to Block, the request doesn’t match the conditions of any rule that has Action set to Allow.
For information on troubleshooting other types of 403 errors, see How do I troubleshoot 403 errors from CloudFront?
Resolution
To resolve the Request Blocked error:
- Open the CloudFront console.
- Choose the ID for the distribution that you want to update.
- Choose the General tab.
- Under Settings, in the AWS WAF web ACL list, choose the web access control list (web ACL) associated with your distribution.
- In the AWS WAF console, choose Web ACLs.
- On the Web ACLs page, for AWS Region, choose Global (CloudFront).
- Choose the web ACLs that require review. Check that the AWS WAF default action is set on the web ACL.
- To resolve the Request Blocked error when the default action is Allow, review the requests. Be sure that they don’t match the conditions for any AWS WAF rules with Action set to Block.
If valid requests match the conditions for a rule that blocks requests, then update the rule to allow the requests. - To resolve the Request Blocked error when the default action is Block, review the requests. Be sure that they match the conditions for any AWS WAF rules with Action set to Allow.
If valid requests don’t match any existing rules that allow requests, then create a rule that allows the requests.
Note: For more troubleshooting, use the
AWS WAF console to review a sample of requests that match the rule that might cause the Request Blocked error. For more information, see
Testing and tuning your AWS WAF protections.
Did this article help?
Do you need billing or technical support?
AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari.
Learn more »
How do I resolve «403 ERROR — The request could not be satisfied. Bad Request» in CloudFront?
Last updated: 2023-01-19
Amazon CloudFront is returning the error message «403 ERROR — The request could not be satisfied. Bad Request.»
Short description
The error message «403 ERROR — The request could not be satisfied. Bad Request.» is from the client. This error can occur due to one of the following reasons:
- The request is initiated over HTTP, but the CloudFront distribution is configured to allow only HTTPS requests. To resolve this issue, follow the steps in the Allow HTTP requests Resolution section.
- The requested alternate domain name (CNAME) isn’t associated with the CloudFront distribution. To resolve this issue, follow the steps in the Associate a CNAME with a distribution Resolution section.
Note: This resolution is for troubleshooting the error when you own the application or website that uses CloudFront to serve content to end users. If you receive this error when trying to view an application or access a website, then contact the provider or website owner for assistance.
For information on troubleshooting other types of 403 errors, see How do I troubleshoot 403 errors from CloudFront?
Resolution
Allow HTTP requests
Follow these steps:
- Open the Amazon CloudFront console.
- Choose the distribution that’s returning the Bad Request error.
- Choose the Behaviors tab.
- Choose the behavior that matches the request. Then, choose Edit.
- For Viewer Protocol Policy, choose either HTTP and HTTPS or Redirect HTTP to HTTPS.
Note: HTTP and HTTPS allows connections on both HTTP and HTTPS. Redirect HTTP to HTTPS automatically redirects HTTP requests to HTTPS. - Choose Save Changes.
Associate a CNAME with a distribution
Follow these steps:
- Open the Amazon CloudFront console.
- Choose the distribution that’s returning the Bad Request error.
- Choose the General tab.
- Under Settings, choose Edit.
- For Alternate Domain Names (CNAMEs), select Add Item.
- Enter the CNAME that you want to associate with the CloudFront distribution.
- Under Custom SSL certificate, choose the certificate that covers the domain. For more information, see How do I configure my CloudFront distribution to use an SSL/TLS certificate?
Note: An SSL certificate is required to associate a CNAME with a distribution. For more information see, Requirements for using alternate domain names. - Choose Save changes.
Did this article help?
Do you need billing or technical support?
AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari.
Learn more »
How do I troubleshoot 403 errors from CloudFront?
Last updated: 2022-06-09
I’m using Amazon CloudFront to serve content. My users are receiving an HTTP 403 errors with the messages “The request could not be satisfied” or “Access Denied.” How can I troubleshoot this?
Resolution
An alternate CNAME is incorrectly configured
To use an alternate CNAME instead of the default CloudFront URL:
- Add the CNAME in your CloudFront distribution configuration.
- Create a CNAME record in your DNS to point the CNAME to CloudFront distribution URL.
If you create the DNS record but don’t add the CNAME in your CloudFront distribution configuration, then the request returns a 403 error. For instructions on configuring a custom CNAME, see Using custom URLs by adding alternate domain names (CNAMEs).
AWS WAF is configured on CloudFront distribution or at the origin
CloudFront can’t distinguish between an HTTP status code 403 that’s returned by your origin and one that’s returned by AWS WAF when a request is blocked.
To find the source of the 403 status code, check your AWS WAF web access control list (ACL) rule for a blocked request. For more information, see Testing web ACLs.
A custom origin is returning the 403 error
A 403 error might be caused by an AWS WAF or custom firewall configuration made at the origin. To troubleshoot, make the request directly to the origin. If you can replicate the error without CloudFront, then the origin is causing the 403 error.
If the error is caused by the custom origin, then check the origin logs to identify what might be causing the error.
An Amazon S3 origin returning 403 error
The error is caused by a signed URL or signed cookies configuration
Did this article help?
Do you need billing or technical support?
AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari.
Learn more »
Check AWS WAF default action set to Web ACL
by Loredana Harsana
Loredana is a passionate writer with a keen interest in PC software and technology. She started off writing about mobile phones back when Samsung Galaxy S II was… read more
Published on January 17, 2023
Reviewed by
Alex Serban
After moving away from the corporate work-style, Alex has found rewards in a lifestyle of constant analysis, team coordination and pestering his colleagues. Holding an MCSA Windows Server… read more
- If CloudFront distribution is set to allow HTTPS requests, but the request has originated over HTTP.
- To fix this, you must check AWS WAF rules to ensure everything is set in action.
XINSTALL BY CLICKING THE DOWNLOAD FILE
This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues and remove viruses now in 3 easy steps:
- Download Restoro PC Repair Tool that comes with Patented Technologies (patent available here).
- Click Start Scan to find Windows issues that could be causing PC problems.
- Click Repair All to fix issues affecting your computer’s security and performance
- Restoro has been downloaded by 0 readers this month.
If AWS CloudFront is coming up with the error message 403 Error – The request could not be satisfied. Request Blocked, then don’t worry. It can be fixed in no time.
Here, in this blog, we will discuss a way to fix this error right after talking about what caused this issue in the first place. Let’s get started!
What causes the 403 error the request could not be satisfied request blocked?
There could be a handful of reasons for the issue to occur. Here we have mentioned the popular ones:
- Permission blocked – If you don’t have the necessary permissions to access the content on the server, then you may get this error on CloudFront.
- SSL/TLS certificate misconfigured – If your CloudFront distribution has SSL/TLS certificate and it is not configured correctly, then you can encounter this issue.
- Configuration errors – If CloudFront is configured to block requests from an IP address, you might get a 403 error.
- Domain name not associated – If the requested alternate domain name is not related to CloudFront distribution, you might get this error.
- Action and Rule are not aligned – If the default action is set to Allow, but the request made matches to a rule which is set to Block. If the action is set to Block, but the rule is set to Allow.
How can I fix the 403 errors request could not be satisfied?
1. Modify the AWS WAF Rules if the default action is set to Allow
- Login to AWS Management Console. Go to the CloudFront console.
- Select the distribution ID that you want to modify or update.
- Switch to the General tab.
- Under Settings, locate the AWS WAF and select the web access control list related to the distribution.
- On the AWS WAF & Shield page, select Web ACLs from the left pane. Now, for AWS Region, choose Global (CloudFront) on the Web ACLs page.
- Go to the Web ACLs you need to review from the right pane.
- Switch to the Rules tab, and under Default web ACL action for requests that don’t match any rules header, make sure Action is set to Allow.
- Now check the request which returns with a request blocked error matches a rule that has set Action to Block.
- To fix this, you need to check the request made doesn’t match the conditions for AWS WAF rules that have Action set to Block. Click on the request that was blocked, and under If the request matches the statement, check for the same.
- If valid requests match the prerequisites for a rule that blocks requests, then edit the rule to allow the requests. To do that, click the Edit option.
- On the next page, scroll to find Action. Place a checkmark next to Allow and click Save.
- How to Disable Xbox Game Bar on Windows 10 [4 ways]
- 4 Ways to Disable Xbox Game Bar on Windows 11
2. Modify the AWS WAF Rules if the default action is set to Block
- Follow the steps mentioned above (1-6) to navigate to the Rules tab on the AWS WAF console.
- Under Default web ACL action for requests that don’t match any rules option, if the Action is set to Block, then check the request to ensure that it matches conditions for all the AWS WAF rules with Action set to Allow.
- You can create a rule if the valid request is not related to any current rules that have Action set to Allow. To do that, click on Add rules, then from the drop-down, select Add my own rules and rule groups.
- On the next page, go to the Statement section. For the Inspect field, choose Header.
- Fill in the details for the Header field name, Match type, and String to match.
- Choose Action to Allow. Click Add rule to confirm the changes.
So, in this way, you can fix the 403 error the request could not be satisfied error on CloudFront. Follow all the steps and let us know if it worked for you in the comments section below.
Still having issues? Fix them with this tool:
SPONSORED
If the advices above haven’t solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on TrustPilot.com) to easily address them. After installation, simply click the Start Scan button and then press on Repair All.
Newsletter
I have a website with a single quote, which I am not able to browse, and few with the same character on same domain it’s getting redirected and I am able opens the URL.
l’Union-Européenne-Dans-l’Europe/xxxxx.html when removed the single quotes from url I am able to browse.
Result when tried to browse: 403 ERROR
The request could not be satisfied.
Request blocked. We can’t connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
Request ID:
Note: checked on clodfront access logs I could find the log with error code 403, not much information other than URI results /l%27Union-Europ%25C3%25A9enne-Dans-l%27Europe/xxxxx.html
asked Jun 5, 2020 at 13:34
1
Check your CloudFront configuration. This will occur because of below reasons:
- The request is initiated over HTTP, but the CloudFront distribution is configured to only allow HTTPS requests.
- The requested alternate domain name (CNAME) isn’t associated with the CloudFront distribution.
You can refer this link also to resolve your issue: https://aws.amazon.com/premiumsupport/knowledge-center/resolve-cloudfront-bad-request-error/
Jeremy Caney
6,82354 gold badges48 silver badges74 bronze badges
answered Jun 5, 2020 at 16:57
6
Posting my solution here because this was an arduous, weekend-long issue for me, and the solution was not that obvious. As Mani Ezhumalai’s answer mentioned, the issue was alternate CNAME records needed.
In my case, it was www.example.com vs example.com. CloudFront requires both domains to be covered in the alternative domain names list, which requires a single AWS ACM SSL cert to cover both, as well as the appropriate CNAME records configured in the DNS.
answered Nov 14, 2021 at 22:17
NathanaelNathanael
9362 gold badges17 silver badges39 bronze badges
I had the same issue. It was WAF / Firewall which rejected the request. Try to disable that to verify.
answered Dec 23, 2021 at 13:38
guyrombguyromb
7538 silver badges15 bronze badges
WAF rules are blocking the request
You could navigate to AWS WAF > Web ACLs > yourWebACL and search for block under Sampled requests
Optionally navigate from cloudfront settings
ref this image
Then check in the sample request as given in the below pic
Read more about this modification at https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-error-request-blocked/?nc1=h_ls
Please don’t disable WAF as is, but either the rule, which prevents this URL from count instead of the default action (in your case the default action seems to be blocked).
- To modify the rule, navigate to AWS WAF > Web ACLs > rule > Edit rule
- and then toggle the control for specific rule under rules
answered Oct 17, 2022 at 6:27
Nafsin VkNafsin Vk
4314 silver badges8 bronze badges
AWS CloudFront returns “The request could not be satisfied” due to majorly two reasons.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us discuss the reasons and how we can fix them.
AWS CloudFront “The request could not be satisfied”
Most often, the error message states:
“The request could not be satisfied. Bad Request.”
Our Support Techs recommend using this troubleshooting method if we own the application or website that uses CloudFront to serve content to end-users.
However, if we come across this error while trying to view an application or access a website, we have to contact the provider or website owner for assistance.
The error message for the client can occur due to one of the following reasons:
- The request initiates over HTTP, but the CloudFront distribution allows only HTTPS requests.
- The requested alternate domain name (CNAME) does not associate with the CloudFront distribution.
Moving ahead, let us see how our Support Techs perform the resolution.
In order to allow HTTP requests, we follow these steps:
- Initially, we open the Amazon CloudFront console.
- Then we select the distribution that is returning the Bad Request error.
- After that, we select the Behaviors view where we can select the behavior that matches the request.
- Then, select Edit.
- For Viewer Protocol Policy, we select either HTTP and HTTPS or Redirect HTTP to HTTPS.
- Eventually, we click Yes, Edit.
On the other hand, to associate an alternate domain name (CNAME) with a distribution, we follow these steps:
- First, we open the Amazon CloudFront console.
- Then we select the distribution that returns the Bad Request error.
- After that, we select the General view > Edit.
- For Alternate Domain Names (CNAMEs), we enter the CNAME that we want to associate with the CloudFront distribution.
- Finally, we select Yes, Edit.
[Need further assistance? We are glad to assist]
Conclusion
In short, we saw how our Support Techs fix the CloudFront error for our customers.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
Hi,
i’m having trouble with some flows with the «create new task»-function…
Everytimes i’m getting this error message:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>ERROR: The request could not be satisfied</TITLE> </HEAD><BODY> <H1>403 ERROR</H1> <H2>The request could not be satisfied.</H2> <HR noshade size="1px"> Request blocked. <BR clear="all"> <HR noshade size="1px"> <PRE> Generated by cloudfront (CloudFront) Request ID: 2I-eG3ASddfoMlKBwTH8eTL9hGVtF05ZlKIKv3siBDrub5Wt6BLKFg== </PRE> <ADDRESS> </ADDRESS> </BODY></HTML>
My test flow looks like:
I’ve reset the connection in the settings and at the ToDoIst website, deleted my browser cache and cookies. This is a new test flow. I have this problem since a few days with all my todoist-flows.
I’m getting this error even if i try to set my Project-ID:
And even if i try to paste my Project-ID (got it from todoist website) it doesn’t matter…
Could you help me?










