For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
Why does AWS WAF block my request or respond with a 403 Forbidden error?
I want to identify the AWS WAF rule that's blocking my request or responding with a 403 Forbidden error.
Short description
By default, AWS WAF returns a "403 Forbidden" error for requests that match AWS WAF rules with the Block action. If you set up custom responses for Block actions, then AWS WAF returns your configured response.
To troubleshoot the "403 Forbidden" error, use Sampled requests or AWS WAF logs to identify the AWS WAF rule or rule group that blocks the request. Then, modify the rule to allow your request.
Resolution
Use sampled requests
If AWS WAF blocked your request within the past 3 hours, then you can view a sample of the blocked web requests. If AWS WAF blocked your request more than 3 hours ago, then resend the same request to generate a new sampled request.
In the Sampled requests table, review the following columns:
- To identify the request, review the Source IP and URI columns.
- To identify the rule or rule group that matches the request, review the Metric name column. If a rule group is blocking the request, then use the Rule inside rule group column to identify the rule.
- To confirm that the rule is set to Block, review the Action column.
Use AWS WAF logs
Note: If you didn't activate AWS WAF logging at the time of your request, then turn on AWS WAF logging and resend the same request.
Use the queries in your AWS WAF logs to identify the blocked requests. To query AWS WAF logs that you store in Amazon CloudWatch Logs, use Amazon CloudWatch Logs Insights queries. To query AWS WAF logs that you store in Amazon Simple Storage Solution (Amazon S3), use Amazon Athena queries.
CloudWatch Logs Insights example queries
To get the top 10 terminating rules, run the following query:
fields terminatingRuleId | stats count() as requestCount by terminatingRuleId | sort requestCount desc | limit 10
To summarize requests that AWS WAF blocked by client IP address, country, URI, and rule, run the following query:
fields httpRequest.clientIp as ClientIP, httpRequest.country as Country, httpRequest.uri as URI, terminatingRuleId as Rule | filter action = "BLOCK" | stats count() as RequestCount by Country, ClientIP, URI, Rule | sort RequestCount desc
Note: In the output, the terminatingRuleId field identifies the AWS WAF rule or rule group that blocks the request.
Athena example query
For AWS WAF logs that you store in an Amazon S3 bucket, use Athena to create an AWS WAF table that queries logs and filters details. For more information, see Query AWS WAF logs. Then, run queries on the table.
For example, to view the number of requests that AWS WAF blocked based on client IP address and country, run the following query:
SELECT "httprequest"."clientip" ,"count"(*) "count" , "httprequest"."country" FROM waf_logs WHERE ("action" LIKE 'BLOCK') GROUP BY "httprequest"."clientip", "httprequest"."country" ORDER BY "count" DESC
Modify the AWS WAF rule to allow your request
If the blocking rule is in an AWS Managed Rules rule group, then customize the rule behavior.
If the blocking rule is a custom rule, then update your rule parameters to use a rule statement to allow the request.
Related information
How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Firehose?
- Tags
- AWS WAF
- Language
- English
Relevant content
- asked a year ago
- asked 2 years ago
