By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

403 Forbidden on us-east-1

0

We recently started getting the 403 error when accessing services in us-east-1 inside the AWS Console.

I can log-in to the console and get all information available on Console Home, go to a specific service page hosted in us-east-2 (for example, codebuild or EC2) and access everything as it should be. If I try to change the region specifically to us-east-1, I get the "403 forbidden" error. The same thing happens if I try to go to a global resource, like WAF, IAM and Cloudfront. This happens for every device inside the office's network. One thing I noticed is everytime I try to change to this region, I end up being redirected to the "signin.aws.amazon.com" URL, which is where I get the 403 error. Running curl -v to https://us-east-1.console.aws.amazon.com returns 302, aswell as running curl to https://signin.aws.amazon.com and https://aws.amazon.com, the latter returning 200.

I can ping and resolve us-east-1.console.aws.amazon.com without any problems, but when trying to access the console via browser, I get 403. I already tried opening an incognito session, clearing all-time cookies and data, tried using another browser (chrome and safari), tried another browser profile and guest profile, but to no avail.

If I try to use mobile data, I can access the services in this region without any problems. With this in mind, I checked if any of our public IPs were being blocked, but they're allowed in our WAF configuration (for both regions and for Cloudfront). There are also no rules in our on-premises firewall that block or interfere with connections to aws.

It also doesn't seem to be a permission problem, since we've had users with exactly the same IAM policies in place where one could access the services in the "problematic" region and another could access it without any issues.

What am I missing here?

Topics
Security, Identity, & ComplianceManagement & GovernanceNetworking & Content Delivery
Tags
AWS WAFAWS Management ConsoleAmazon CloudFrontIAM Policies
Language
English
Fellipe Magalhaes
asked a month ago83 views
1 Answer
0

Based on the information provided, it appears that the issue you're experiencing is not related to AWS permissions or account settings, but rather seems to be a network-related problem specific to your office environment. Here are some potential causes and steps you can take to troubleshoot:

  1. Region Opt-in: Although you mentioned us-east-1, which is not typically an opt-in region, it's worth double-checking that the region is enabled in your account. Some regions require explicit opt-in.

  2. Network Configuration: Since the issue only occurs on your office network and not on mobile data, it's likely that there's a network configuration issue. This could be related to your firewall, proxy settings, or DNS resolution within your office network.

  3. VPN or Proxy: If your office uses a VPN or proxy, ensure that it's not interfering with the connection to AWS services, particularly for us-east-1 endpoints.

  4. DNS Issues: Although you mentioned being able to resolve and ping the AWS endpoints, there might be subtle DNS issues affecting only certain requests. Try flushing your DNS cache and potentially using a different DNS server temporarily.

  5. SSL/TLS Inspection: Some corporate networks use SSL/TLS inspection, which can interfere with secure connections to cloud services. Check if your network has such a system in place and if it's properly configured for AWS endpoints.

  6. Geolocation Services: Some AWS services use geolocation to determine access. Ensure that your office IP is not mistakenly associated with a blocked region.

  7. Content Delivery Network (CDN) Issues: AWS uses CDNs for console delivery. There might be an issue with the CDN node serving your office location.

To resolve this:

  1. Consult with your network administration team to review firewall rules, proxy settings, and any potential network-level blocks.
  2. Try accessing the AWS Console through a different ISP or network to isolate if it's specific to your office network.
  3. If possible, temporarily bypass any corporate proxies or VPNs to test direct access.
  4. Check for any recent changes in your network configuration that might have coincided with the onset of this issue.
  5. Consider reaching out to AWS Support, providing them with your office's public IP address, traceroutes, and any relevant network logs to help diagnose the issue.

Remember, since you can access other regions and the issue is specific to your office network, it's highly likely that the root cause lies within your local network configuration rather than with AWS itself.
Sources
API Gateway resource gives "403 Forbidden" response in me-central-1 region while it works well with other regions . Any workaround/solution for this ? | AWS re:Post
Troubleshoot access to OpenSearch Serverless dashboard | AWS re:Post

profile picture
re:Post Agent
answered a month ago
profile picture
EXPERT
Riku_Kobayashi
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content