403
policy
network_error
ai_generated
true
AccessDenied:请求无法被满足。CloudFront 尝试与源站建立连接,但请求被地理限制策略阻止。
AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the request was blocked by the geo-restriction policy.
ID: policy/cloudfront-georestriction-blocked-request
80%修复率
86%置信度
1证据数
2024-01-12首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS CloudFront | active | — | — | — |
| CloudFront geo-restriction feature | active | — | — | — |
根因分析
CloudFront 分配配置了地理限制(白名单或黑名单),客户端的 IP 地址来自未在白名单中或被列入黑名单的国家。
English
CloudFront distribution has a geo-restriction (whitelist or blacklist) configured, and the client's IP address originates from a country that is either not whitelisted or is blacklisted.
官方文档
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html解决方案
-
更新 CloudFront 分配的地理限制配置,将客户端国家加入白名单或从黑名单中移除。
-
使用 CloudFront Functions 或 Lambda@Edge 实现自定义地理白名单,提供更精细的控制。
无效尝试
常见但无效的做法:
-
90% 失败
The geo-restriction is based on IP address, not client-side data; clearing cache has no effect.
-
50% 失败
This works temporarily but violates the policy intent and may cause other issues (e.g., latency, compliance).