I have setup a lambda function url and cloudfront system
Redirect HTTP to HTTPSGET, HEADNoManaged-CachingDisabledAllViewerThe result however always return 403 Forbidden with this body
{ "Message": null }
And this header
X-cache: Error from cloudfront
x-amzn-ErrorType: AccessDeniedException
Is there any setting that I missed that cause this error? I already test direct hit using postman and browser to the function url an it works fine
UPDATE - In your Origin Request Policy, set the new AllViewerExceptHost managed policy. That will forward all viewer headers except the Host header. Recommend you pair this with the CachingDisabled managed Cache Policy.
The issue could be that you are forwarding the Host header to your origin (Lambda Function URLs) via the AllViewer Origin Request Policy (ORP) that is attached to your cache behavior.
Why does this happen? You are using the AllViewer origin request policy, which forwards all HTTP request headers received from the viewer to your origin. So when CloudFront handles a request for d123.cloudfront.net—or even example.com as a configured CNAME—CloudFront will forward that value in the Host HTTP request header to your Lambda Function URLs origin. Because there is no function URL that resolves to that name, Lambda cannot find the function and returns a 403 Access Denied.
How to resolve: Instead of attaching the AllViewer origin request policy, create a custom origin request policy that forwards only the headers you need. Importantly, do not forward the Host header. Once this is configured, CloudFront will use your origin's hostname as the Host header—which Lambda will be able to resolve.