Why is AWS WAF blocking my request or responding with a 403 Forbidden error?

Last updated: 2022-07-20

How do I identify the AWS WAF rule that is blocking my request or responding with a 403 Forbidden error?

Short description

If a request matches an AWS WAF rule that is set to Block, then by default AWS WAF returns a 403 Forbidden error. If you set up Custom responses for block actions, then AWS WAF returns your configured response.

To troubleshoot a 403 Forbidden error:

  1. Identify the AWS WAF rule or rule group that's blocking the request.
  2. Make changes to the identified rule to allow your request.

Resolution

Identify the AWS WAF rule or rule group that blocked the request

There are two options to identify the AWS WAF rule or rule group that's blocking the request.

Option 1: sampled requests

If request sampling is turned on and your request was blocked within the past three hours, view a sample of web requests for blocked requests.
Note: If it's been more than three hours since your request was blocked, you can re-send the same request to generate new sampled request.

Use the Sampled requests table to identify which rule or rule group blocked the request:

  1. Identify the request using the Source IP and URI columns.
  2. Identify the rule or rule group that matched the request, using the Metric name column. If the request was blocked by a rule group, use the Rule inside rule group column to identify the rule.
  3. Using the Action column, confirm that the identified rule is set to Block.

Note the rule or rule group that blocked the request. Then, proceed to Make changes to the AWS WAF rule to allow your request.

Option 2: AWS WAF logs

If AWS WAF logging is turned on, you can analyze the logs to find the rule or rule group that blocked the request.

  1. View your AWS WAF logs.
  2. Identify the blocked request in the logs.
  3. View the terminatingRuleId field to identify which AWS WAF rule or rule group that blocked the request.

Note the rule or rule group that blocked the request. Then, proceed to Make changes to the AWS WAF rule to allow your request.

Note: If you don’t have AWS WAF logging turned on at the time of your request, you must first turn on AWS WAF logging. Then, reproduce the request to identify the rule blocking the request in the AWS WAF logs. For more information, see How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Kinesis Data Firehose?

Make changes to the AWS WAF rule to allow your request

After identifying the rule or rule group that blocked the request, make appropriate changes to the rule or rule group so the specific request is allowed.


Did this article help?


Do you need billing or technical support?