WAF managed rules blocking SES incoming email notifications

Question

I use SES incoming email for a discussion groups feature.  When an email arrives, SES is configured to notify an SNS topic, which in turn POSTs to an HTTPS endpoint on my backend via a CloudFront distribution.
This stopped working some time between Dec 5 and 24: the POST from SNS was showing as 403 Forbidden / Error in the CloudFront logs.
After some trial and error, I discovered that by turning off the AWS WAF WindowsManagedRuleSet on my CloudFront distribution, I could fix the problem.
Has anyone else seen this?  It seems like an obvious false positive if AWS WAF rules are blocking AWS SESS notifications.

Answer

Hello, Chris,

I found this AWS document on mitigation of false positives in WAF (1) and how to override rules in the group to identify which is causing the issue.  I see 6 rules in the Windows Operating System managed rule in my own account.  You can set individual rules to "count" one at a time to identify which may be preventing your SNS topic from posting.  See the documentation link for details.

If you can identify the rule causing the issue and don't mind leaving it in "count", you can go that route.  Otherwise, if you have a CloudFront request Id (x-amz-cf-id), this can be investigated further via a support case.

---
** RESOURCES **

1. AWS Managed Rules for AWS WAF - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html

WAF managed rules blocking SES incoming email notifications

Relevanter Inhalt