- Newest
- Most votes
- Most comments
In such situations it is good to check the IP address that your user is using over the internet and cross check using the Sampled Requests or WAF logs if that same IP is being logged. Also, sometimes our system might be assigned an IPv6 address along with the IPv4 and the system might be using that for communicating (I have noticed this in a few cases).
As per your use case, I can understand that you want to allow a user only if the IP address is present in the IP set. However as per the rule configuration, none of the rules seem to be allowing the requests
The match_allowed_ip rule will be inspected first, if an IP is not present in the IP set allowed_ip then the request would be blocked.
If the IP is present in the rule then the rule will not match and the request will be evaluated by the default action which is again set to Block
I would request you to validate the user's IP, if the resource is associated with the correct Web ACL and go through the logs in order to determine which rule is Allowing the request.
If you want to restrict IPs on the API Gateway, I found the following resource-based policy to be a good way to do so.
https://repost.aws/knowledge-center/api-gateway-resource-policy-access
Also, looking at the WAF configuration you shared with us, the default rule is block, so if it doesn't match the IP-based rule, it will be blocked.
So it is possible that all accessible requests are judged to match the IP set.
One way to check this would be to output the WAF logs to S3.
Relevant content
- asked 9 months ago
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
Hi @Riku Thanks for the reply.
We have considered other options first like security group inbound rule, API resource policy but our use case is different. We have 500+ IPs in allowed list if IPs and whenever new gateway is deployed, gateway IP should be listed. Security group Inbound and resource policy is not good fit here. WAF has capacity to allow 10K ips and we can automate process to update IPs in IP set.
WAF configuration is as expected if doesn't match IP based-rule then all request should be blocked else allow.
Thanks