AWS Logo

Troubleshooting Common Issues

Fixes for typical problems when deploying static sites to AWS S3 + CloudFront

403 Forbidden when accessing the site

Cause: Most common: OAC policy not correctly attached or wrong CloudFront ID in policy.

Solution: 1. Check bucket policy allows CloudFront service 2. Verify SourceArn matches your distribution ARN 3. Make sure bucket is private (Block Public Access enabled)

# Re-apply bucket policy via CLI (after editing)
aws s3api put-bucket-policy --bucket your-bucket-name --policy file://policy.json

404 Not Found – index.html not loading

Cause: Index document not set or files not uploaded correctly.

Solution: 1. Confirm index.html exists in bucket root 2. Set index document in S3 static hosting settings 3. Re-sync files: aws s3 sync out/ s3://bucket --delete

aws s3 website s3://your-bucket-name/ --index-document index.html --error-document 404.html

Changes not visible – old version still showing

Cause: CloudFront cache not invalidated after upload.

Solution: Create invalidation to force refresh (can take 5–30 min).

aws cloudfront create-invalidation --distribution-id YOUR_DISTRIBUTION_ID --paths '/*'

Site loads over HTTP instead of HTTPS

Cause: Viewer Protocol Policy not set to Redirect HTTP to HTTPS.

Solution: In CloudFront distribution → Behaviors → Edit → Change Viewer Protocol Policy to 'Redirect HTTP to HTTPS'

# CLI update example (partial)
aws cloudfront update-distribution --id YOUR_DISTRIBUTION_ID --if-match ETAG --default-cache-behavior ViewerProtocolPolicy=redirect-to-https

Direct S3 URL still works (bypassing CloudFront)

Cause: Bucket is public or OAC not enforced.

Solution: 1. Disable Block Public Access? No → enable it 2. Remove any public bucket policy statements 3. Confirm OAC is attached to distribution origin

aws s3api get-bucket-policy --bucket your-bucket-name   # check current policy

Quick Debugging Checklist

  • • Check CloudFront distribution status = Deployed
  • • Confirm bucket name & region match
  • • Test direct CloudFront URL (d123...cloudfront.net)
  • • Use browser DevTools → Network tab to see 403/404 responses
  • • Invalidate cache after every change (/* paths)
← Back to SecurityNext: About Me →