# AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the request was blocked by the geo-restriction policy.

- **ID:** `policy/cloudfront-georestriction-blocked-request`
- **Domain:** policy
- **Category:** network_error
- **Error Code:** `403`
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

CloudFront distribution has a geo-restriction (whitelist or blacklist) configured, and the client's IP address originates from a country that is either not whitelisted or is blacklisted.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS CloudFront | active | — | — |
| CloudFront geo-restriction feature | active | — | — |

## Workarounds

1. **Update the CloudFront distribution's geo-restriction configuration to include the client's country in the whitelist or remove it from the blacklist.** (85% success)
   ```
   Update the CloudFront distribution's geo-restriction configuration to include the client's country in the whitelist or remove it from the blacklist.
   ```
2. **Use CloudFront Functions or Lambda@Edge to implement a custom geo-allowlist with more granular control.** (80% success)
   ```
   Use CloudFront Functions or Lambda@Edge to implement a custom geo-allowlist with more granular control.
   ```

## Dead Ends

- **** — The geo-restriction is based on IP address, not client-side data; clearing cache has no effect. (90% fail)
- **** — This works temporarily but violates the policy intent and may cause other issues (e.g., latency, compliance). (50% fail)