Error Medic

Resolving AWS EC2 403 Forbidden and 502 Bad Gateway Errors: A Comprehensive Guide

Fix AWS EC2 403 Forbidden and 502 Bad Gateway errors quickly. Step-by-step troubleshooting for IAM permissions, Security Groups, WAF, and ALB configurations.

Last updated:
Last verified:
1,206 words
Key Takeaways
  • AWS WAF blocking requests is the most common cause of sudden 403 Forbidden errors on EC2 instances behind an Application Load Balancer.
  • 502 Bad Gateway errors typically indicate that the web server (Nginx/Apache) on the EC2 instance is unreachable or crashing, often due to timeouts or connection refused issues.
  • Verify Security Group ingress rules and Network ACLs to ensure traffic from the ALB or internet is permitted to reach the EC2 instance.
  • Check the ALB Target Group health status; unhealthy targets will result in 502 or 504 errors.
  • IAM permission denied issues usually manifest when the EC2 instance attempts to access other AWS services without a properly configured Instance Profile.
Common EC2 Error Root Causes and Fix Approaches
Error Code / SymptomLikely ComponentDiagnostic ToolResolution Time
403 ForbiddenAWS WAF / ALBWAF Sampled Requests / ALB Access Logs10-15 mins
403 Permission DeniedIAM Role / S3 / KMSCloudTrail / IAM Policy Simulator15-30 mins
502 Bad GatewayEC2 Web Server (Nginx)EC2 /var/log/nginx/error.log5-20 mins
Connection RefusedSecurity Group / ProcessVPC Flow Logs / netstat10 mins
Timeout / ThrottlingEC2 Instance LimitsCloudWatch Metrics / dmesg20-40 mins

Understanding AWS EC2 403 Forbidden and 502 Bad Gateway Errors

Encountering a 403 Forbidden or 502 Bad Gateway error on an AWS EC2 instance can be frustrating, especially in a production environment. These HTTP status codes, along with related issues like connection refused, permission denied, or rate limit throttling, point to distinct communication breakdowns within your AWS infrastructure.

While a 403 Forbidden indicates that the server understood the request but refuses to authorize it, a 502 Bad Gateway suggests that a proxy or load balancer received an invalid response from the upstream EC2 instance.

Diagnosing '403 Forbidden' Errors

A 403 Forbidden error in an AWS context is rarely generated by the EC2 instance itself unless specifically configured by your application (e.g., directory listing disabled in Apache/Nginx). More commonly, this error originates from edge services or identity management.

1. AWS WAF (Web Application Firewall) Blocks

If your EC2 instance is behind an Application Load Balancer (ALB) or API Gateway integrated with AWS WAF, a 403 error often means a WAF rule is blocking the request. This could be due to rate limiting, geographic blocking, or SQL injection protections.

Diagnosis: Navigate to the AWS WAF Console and check the 'Sampled requests' or query WAF logs via CloudWatch/Athena. Look for requests with a block action.

2. S3 Bucket or CloudFront Origin Access

If your EC2 instance is trying to fetch assets from an S3 bucket and receives a 403, the IAM role attached to the EC2 instance (Instance Profile) likely lacks the s3:GetObject permission, or the bucket policy denies access.

3. ALB Routing Rules

An ALB can be configured to return a fixed 403 response based on listener rules (e.g., blocking specific host headers or paths). Review the ALB listener rules in the EC2 console.

Diagnosing '502 Bad Gateway' and 'Connection Refused'

A 502 Bad Gateway usually means the ALB or reverse proxy cannot communicate with the underlying application process on the EC2 instance.

1. Application Process Down or Connection Refused

The most common cause is that the web server (Nginx, Node.js, Gunicorn) has crashed or isn't listening on the expected port. The load balancer attempts to connect, the connection is refused, and it returns a 502.

Action: SSH into the instance and verify the service is running using systemctl status <service> or check listening ports with sudo netstat -tulpn.

2. Security Group and Network ACL Misconfigurations

If the ALB cannot reach the EC2 instance due to Security Group rules, it usually results in a 504 Gateway Timeout. However, if the connection is actively rejected (e.g., by local iptables on the instance), it might manifest as a 502. Ensure the EC2 Security Group allows inbound traffic from the ALB's Security Group on the application port.

3. Target Group Health Check Failures

If the EC2 instance fails ALB health checks, it will be deregistered. If all targets are unhealthy, the ALB may return a 502 Bad Gateway. Verify the health check path, port, and expected success codes in the Target Group settings.

Handling Rate Limits and Throttling

If you see API throttling or rate limit errors (429 Too Many Requests or AWS API throttling):

  • AWS API Throttling: If your EC2 instance is making too many calls to AWS services (e.g., DynamoDB, EC2 Describe API), you will hit account-level API limits. Implement exponential backoff in your application code.
  • Network Throttling: EC2 instances have network bandwidth limits based on their instance type. If you exceed these limits, packets are dropped, leading to timeouts and connection issues. Monitor the NetworkIn and NetworkOut CloudWatch metrics.

Step-by-Step Resolution Workflow

  1. Identify the Source: Look at the exact error response headers. Does it say Server: awselb (from ALB) or Server: nginx (from your instance)?
  2. Check Logs: Inspect /var/log/nginx/error.log or your application logs. If the request never reached the instance, the issue is at the ALB, WAF, or Security Group level.
  3. Validate Infrastructure: Review WAF web ACLs, ALB Target Group health, and EC2 Security Group inbound rules.
  4. Verify IAM: If the application logs show AccessDenied when calling AWS services, update the EC2 IAM Instance Profile.

Frequently Asked Questions

bash
# 1. Check if the local web server is listening on the expected port (e.g., 80 or 8080)
sudo netstat -tulpn | grep LISTEN

# 2. View the last 50 lines of the Nginx error log for 502/Connection Refused clues
sudo tail -n 50 /var/log/nginx/error.log

# 3. Test local application response to rule out ALB/WAF issues
curl -I http://localhost:80

# 4. Check instance IAM role metadata to verify attached permissions (IMDSv2)
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/info
E

Error Medic Editorial

Error Medic Editorial is a team of certified cloud architects and SREs dedicated to demystifying complex infrastructure issues. With decades of combined experience in AWS, Linux, and high-availability systems, we provide actionable, production-ready solutions.

Sources

Related Guides

Fixing AWS EC2 'Network is Unreachable': The Definitive Troubleshooting Guide
Resolve AWS EC2 'network is unreachable' errors by diagnosing VPC route tables, Internet Gateways, Security Groups, and OS-level network interfaces.
How to Fix AWS EC2 403 Forbidden and Permission Denied Errors
Resolve AWS EC2 403 Forbidden, 502 Bad Gateway, and connection refused errors by fixing IAM roles, security groups, and WAF rules. Step-by-step guide.
AWS CloudFront 403 Forbidden: Complete Troubleshooting Guide (Rate Limits, Timeouts & Fixes)
Fix AWS CloudFront 403 Forbidden errors fast. Step-by-step diagnosis covering S3 OAC misconfig, WAF blocks, geo-restrictions, signed URL expiry, and rate limits
AWS ECS 502 Bad Gateway: Complete Troubleshooting Guide
Fix AWS ECS 502 Bad Gateway errors fast. Covers health check misconfig, security group blocks, port mismatches, and timeout issues with exact CLI commands.