Why does AWS WAF block my request or respond with a 403 Forbidden error?

3 minute read
0

I want to identify the AWS WAF rule that's blocking my request or responding with a 403 Forbidden error.

Short description

If a request matches an AWS WAF rule with the Block action, then AWS WAF returns a 403 Forbidden error by default. If you set up custom responses for Block actions, then AWS WAF returns your configured response.

To troubleshoot the 403 Forbidden error, identify the AWS WAF rule or rule group that's blocking the request. Then, modify the rule to allow your request.

Resolution

Identify the AWS WAF rule or rule group that's blocking the request

To identify the AWS WAF rule or rule group that's blocking requests, review the Sampled requests tab in the AWS WAF console or the AWS WAF logs

View sampled requests

If your request was blocked within the past 3 hours, then you can view a sample of the blocked web requests. If AWS WAF blocked your request more than 3 hours ago, then resend the same request to generate a new sampled request.

In the Sampled requests table, review the following columns:

  • The Source IP and URI columns to identify the request.
  • The Metric name column to identify the rule or rule group that matches the request. If a rule group is blocking the request, then use the Rule inside rule group column to identify the rule.
  • The Action column to confirm that the rule is set to Block.

View AWS WAF logs

If AWS WAF logging wasn't turned on at the time of your request, then turn on AWS WAF logging and resend the same request.

Use the queries in your AWS WAF logs to identify the blocked requests. Use Amazon CloudWatch Logs Insights to query AWS WAF logs that are stored in CloudWatch Logs. Use Amazon Athena to query AWS WAF logs that are stored in Amazon Simple Storage Solution (Amazon S3).

CloudWatch Logs Insights example queries

To get the top 10 terminating rules, run the following query:

fields terminatingRuleId
| stats count() as requestCount by terminatingRuleId
| sort requestCount desc
| limit 10

To summarize blocked requests by client IP address, country, URI, and rule, run the following query:

fields httpRequest.clientIp as ClientIP, httpRequest.country as Country, httpRequest.uri as URI, terminatingRuleId as Rule
| filter action = "BLOCK"
| stats count() as RequestCount by Country, ClientIP, URI, Rule
| sort RequestCount desc

Note: The terminatingRuleId field identifies the AWS WAF rule or rule group that's blocking the request.

Athena example query

For AWS WAF logs that your store in an Amazon S3 bucket, use Athena to create an AWS WAF table that queries logs and filters details.

For example, to view the number of blocked requests based on client IP address and country, run the following query:

SELECT  "httprequest"."clientip"
, "count"(*) "count"
, "httprequest"."country"
FROM
waf_logs
WHERE ("action" LIKE 'BLOCK')
GROUP BY "httprequest"."clientip", "httprequest"."country"
ORDER BY "count" DESC

Modify the AWS WAF rule to allow your request

If the blocking rule is in an AWS Managed Rules rule group, then customize the rule behavior.

If the blocking rule is a custom rule, then update your rule parameters. Use a rule statement for the custom rule to allow the request.

Related information

How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Firehose?

How do I analyze AWS WAF logs in CloudWatch?

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago