403
policy
network_error
ai_generated
true
AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the request was blocked by the geo-restriction policy.
ID: policy/cloudfront-georestriction-blocked-request
80%Fix Rate
86%Confidence
1Evidence
2024-01-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS CloudFront | active | — | — | — |
| CloudFront geo-restriction feature | active | — | — | — |
Root Cause
CloudFront distribution has a geo-restriction (whitelist or blacklist) configured, and the client's IP address originates from a country that is either not whitelisted or is blacklisted.
generic中文
CloudFront 分配配置了地理限制(白名单或黑名单),客户端的 IP 地址来自未在白名单中或被列入黑名单的国家。
Official Documentation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.htmlWorkarounds
-
85% success Update the CloudFront distribution's geo-restriction configuration to include the client's country in the whitelist or remove it from the blacklist.
Update the CloudFront distribution's geo-restriction configuration to include the client's country in the whitelist or remove it from the blacklist.
-
80% success Use CloudFront Functions or Lambda@Edge to implement a custom geo-allowlist with more granular control.
Use CloudFront Functions or Lambda@Edge to implement a custom geo-allowlist with more granular control.
中文步骤
更新 CloudFront 分配的地理限制配置,将客户端国家加入白名单或从黑名单中移除。
使用 CloudFront Functions 或 Lambda@Edge 实现自定义地理白名单,提供更精细的控制。
Dead Ends
Common approaches that don't work:
-
90% fail
The geo-restriction is based on IP address, not client-side data; clearing cache has no effect.
-
50% fail
This works temporarily but violates the policy intent and may cause other issues (e.g., latency, compliance).