An Amazon IP reputation list rule group or Anonymous IP list rule group is blocking my legitimate requests. I want to allow my IP address.
Resolution
You can't directly remove IP addresses from the Amazon IP reputation list rule group or from the Anonymous IP list rule group.
To allow specific IP addresses that these lists block, create an IP set, and then add either a scope-down statement or label on web requests.
Scope-down statements
Add a scope-down statement to the AWS Managed Rules rule group that's blocking your requests to narrow the scope of requests.
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, under AWS WAF, choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global (CloudFront).
- Select your web ACL.
- Under Rules, select the AWS Managed Rules rule group that's blocking your requests, and then choose Edit.
- For Scope of Inspection - optional, select Only requests that match a scope-down statement.
- For If a request, select doesn't match the statement (NOT).
- Under Statement, for Inspect, select Originates from IP address in.
- For IP Set, select your IP set.
- For IP address to use as the originating address, select Source IP address.
- Choose Save rule.
It's a best practice to test rules in a non-production environment with the Action set to Count. Use Amazon CloudWatch metrics to evaluate the rule in AWS WAF sampled requests or AWS WAF logs. After you tested the rules, change the Action to Block.
Labels on web requests
Labels allow a rule that matches the request to communicate the results to rules that are evaluated later in the same web ACL. Choose this option to reuse the same logic across multiple rules.
Change the rule group rule actions to count
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, under AWS WAF, choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global (CloudFront).
- Select your web ACL.
- Under Rules, select the AWS Managed Rules rule group that's blocking your requests, and then choose Edit.
- Under Rules, turn on Count.
- Choose Save rule.
Create a rule with a higher priority than the AWS Managed Rules rule group
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, under AWS WAF, choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global (CloudFront).
- Select your web ACL.
- Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
- For Name, enter a rule name, and then choose Regular Rule.
- For If a request, choose matches all the statements (AND).
- On Statement 1, do the following:
For Inspect, choose Has a label.
For Match scope, choose Label.
For Match key, select the label for the AWS Managed Rules rule group's rule that's blocking your requests.
- On Statement 2, do the following:
For Negate statement (NOT), choose Negate statement results.
For Inspect, choose Originates from IP address in.
For IP set, select your IP set.
For IP address to use as the originating address, choose Source IP address.
- For Action, choose Block.
- Choose Add Rule.
- For Set rule priority, update the rule priority so that it's higher than the AWS Managed Rules rule group.
- Choose Save.
Note: The HostingProviderIPList rule blocks requests that originate from hosting providers and other cloud providers. To allow these requests, set this rule's action to Count.
It's a best practice to test rules in a non-production environment with the Action set to Count. Use CloudWatch metrics to evaluate the rule in AWS WAF sampled requests or AWS WAF logs. After you tested the rules, change the Action to Block.