AWS

CloudFrontDistributionNotDisabled - CloudFront Distribution Not Disabled

Getting a **CloudFrontDistributionNotDisabled** error means you're trying to delete a CloudFront distribution that's still enabled—CloudFront requires distributions to be disabled and fully deployed before deletion. This client-side error (4xx) happens when AWS validates distribution state before deletion. Most common when distributions are still enabled, but also appears when deletion is attempted while enabled, distributions aren't fully disabled, deployment is still in progress, or distribution state isn't ready for deletion.

#Common Causes

  • Identity: IAM policy allows CloudFront but distribution not disabled. Service Control Policy (SCP) enforces distribution state.
  • Network: VPC endpoint CloudFront restrictions. Distribution still enabled.
  • Limits: Distribution still enabled. Distribution deletion attempted while enabled. Distribution not fully disabled. Deployment still in progress. Distribution state not ready for deletion.

Solutions

  1. 1Step 1: Diagnose - Check distribution status: aws cloudfront get-distribution --id DIST_ID --query 'Distribution.[Status,DistributionConfig.Enabled]' --output table. Verify if distribution is enabled.
  2. 2Step 2: Diagnose - Get distribution config: aws cloudfront get-distribution-config --id DIST_ID > dist-config.json. Extract ETag. Check Enabled field.
  3. 3Step 3: Diagnose - Disable distribution: Edit config: jq '.DistributionConfig.Enabled = false' dist-config.json > dist-config-disabled.json. Update distribution: aws cloudfront update-distribution --id DIST_ID --distribution-config file://dist-config-disabled.json --if-match ETAG.
  4. 4Step 4: Fix - Wait for deployment: Monitor status: while true; do STATUS=$(aws cloudfront get-distribution --id DIST_ID --query 'Distribution.Status' --output text); if [ "$STATUS" = "Deployed" ]; then break; fi; sleep 30; done. Verify distribution is disabled and deployed.
  5. 5Step 5: Fix - Delete distribution: Get new ETag: aws cloudfront get-distribution-config --id DIST_ID --query 'ETag' --output text. Delete distribution: aws cloudfront delete-distribution --id DIST_ID --if-match NEW_ETAG.

</>Code Examples

Disable CloudFront Distribution Before Deletion
1#!/bin/bash
2DIST_ID="E1234567890ABC"
3
4echo "=== Disabling CloudFront Distribution ==="
5echo "Distribution ID: ${DIST_ID}"
6
7# Get distribution config
8echo "\n=== Getting Distribution Config ==="
9aws cloudfront get-distribution-config --id ${DIST_ID} > dist-config.json
10
11# Get current ETag
12ETAG=$(aws cloudfront get-distribution-config --id ${DIST_ID} \
13  --query 'ETag' \
14  --output text)
15
16echo "ETag: ${ETAG}"
17
18# Disable distribution
19echo "\n=== Updating Config to Disable ==="
20jq '.DistributionConfig.Enabled = false' dist-config.json > dist-config-disabled.json
21
22# Update distribution
23aws cloudfront update-distribution \
24  --id ${DIST_ID} \
25  --distribution-config file://dist-config-disabled.json \
26  --if-match ${ETAG} \
27  --output json
28
29if [ $? -eq 0 ]; then
30  echo "\n✓ Distribution update initiated"
31  echo "Waiting for deployment to complete..."
32else
33  echo "\n✗ Failed to update distribution"
34  exit 1
35fi
Wait for Distribution Deployment and Delete
1#!/bin/bash
2DIST_ID="E1234567890ABC"
3
4echo "=== Waiting for Distribution Deployment ==="
5echo "Distribution ID: ${DIST_ID}"
6
7# Wait for deployment to complete
8MAX_WAIT=1800  # 30 minutes
9WAITED=0
10
11while [ ${WAITED} -lt ${MAX_WAIT} ]; do
12  STATUS=$(aws cloudfront get-distribution --id ${DIST_ID} \
13    --query 'Distribution.Status' \
14    --output text 2>/dev/null)
15  
16  if [ "${STATUS}" = "Deployed" ]; then
17    echo "\n✓ Distribution is disabled and deployed"
18    break
19  fi
20  
21  echo "Status: ${STATUS}, waiting... (${WAITED}s)"
22  sleep 30
23  WAITED=$((WAITED + 30))
24done
25
26if [ "${STATUS}" = "Deployed" ]; then
27  echo "\n=== Deleting Distribution ==="
28  NEW_ETAG=$(aws cloudfront get-distribution-config --id ${DIST_ID} \
29    --query 'ETag' \
30    --output text)
31  
32  aws cloudfront delete-distribution \
33    --id ${DIST_ID} \
34    --if-match ${NEW_ETAG} \
35    --output json
36  
37  if [ $? -eq 0 ]; then
38    echo "\n✓ Distribution deletion initiated"
39  else
40    echo "\n✗ Failed to delete distribution (CloudFrontDistributionNotDisabled)"
41  fi
42else
43  echo "\n✗ Timeout waiting for deployment"
44fi

Related Errors

InvalidStateInvalidRequest

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

CloudFrontDistributionNotDisabled - CloudFront Distribution Not Disabled | AWS Error Reference | Error Code Reference