Fix 403 CloudFront CNAME Error (www Not Working) – 2026 Guide

Getting a 403 Forbidden error when accessing your website via www.yourdomain.com through CloudFront?

This is one of the most common AWS misconfigurations.

If your root domain works but www does not — or you see a 403 error — this guide will walk you through the exact fixes.

---

Why CloudFront Returns 403 for CNAME

A 403 error usually means one of the following:

• The CNAME is not added to the CloudFront distribution
• The SSL certificate does not include the www domain
• The S3 bucket policy blocks CloudFront
• DNS records are misconfigured
• Origin configuration is incorrect

Let’s fix it step by step.

---

Step 1: Add www to Alternate Domain Names (CNAME)

Go to your CloudFront distribution:

• Open Settings
• Find Alternate Domain Names (CNAMEs)
• Add: www.yourdomain.com

If this is missing, CloudFront will reject the request with 403.

---

Step 2: Verify SSL Certificate Covers www

Go to AWS Certificate Manager (ACM):

• Ensure the certificate includes both:
• yourdomain.com
• www.yourdomain.com

If the certificate only covers the root domain, www will fail.

Important: The certificate must be created in us-east-1 for CloudFront.

---

Step 3: Check Route 53 DNS Records

You should have:

• A record (Alias) → CloudFront (for root domain)
• A record (Alias) → CloudFront (for www)

If using CNAME instead of Alias, verify it points to the CloudFront distribution domain.

---

Step 4: Check S3 Bucket Policy (If Using S3 Origin)

If your origin is an S3 bucket:

• Ensure CloudFront has access
• Use Origin Access Control (OAC) or OAI
• Do not block public access incorrectly

Improper bucket policies often cause 403 errors.

---

Step 5: Verify Default Root Object

In CloudFront settings:

• Check Default Root Object
• Set it to: index.html

If not configured, CloudFront may return 403 for directory requests.

---

Step 6: Clear CloudFront Cache

After making changes:

• Create an invalidation
• Use /* to clear all paths

Cached errors can persist even after fixing configuration.

---

Common Real-World Scenario

Root domain works.

www returns 403.

Most likely causes:

• www not added as alternate domain
• SSL certificate missing www

Fixing those resolves the issue in most cases.

---

Quick Troubleshooting Checklist

• www added in CloudFront CNAME
• ACM certificate includes www
• Certificate is in us-east-1
• DNS points to CloudFront
• S3 bucket policy allows access
• Cache invalidated

---

Final Thoughts

CloudFront 403 CNAME errors are almost always configuration issues.

Understanding how DNS, SSL, and origins connect is critical for real-world cloud deployments.

The more you deploy production infrastructure, the easier these debugging steps become.