AWS WAF 403 Request Blocked - Troubleshooting Guide

Overview

This guide provides step-by-step instructions for investigating and troubleshooting 403 requests that are blocked by AWS WAF for publisher requests.

Prerequisites

Access to Microsoft Applications portal
Sumo Logic access permissions
The blocked request ID from the user/application

Step 1: Access Sumo Logic

Option A: Through Microsoft Applications Portal

Navigate to myapplications.microsoft.com
Search for "Sumo" in the application search bar
If you have access, you will see the Sumo Logic application
Click on the Sumo Logic application to launch it

Option B: Direct Access Link

Use this direct link to access Sumo Logic:

https://launcher.myapps.microsoft.com/api/signin/64b1b1ad-1edb-48af-857f-ce6430dfe8b0?tenantId=73329c54-059a-4fb8-8d15-3a38ef737adb

If You Don't Have Access

If you don't see the Sumo Logic application or get access denied: 1. Request access through SailPoint 2. Follow your organization's access request process 3. Wait for approval before proceeding

Step 2: Query AWS WAF Blocked Requests

Once you have access to Sumo Logic, use the following query to investigate blocked requests:

Base Query for All Blocked Requests

_source="aws-waf-logs-blocks-prod-rubk"
| json field=_raw "httpRequest.requestId"
| json field=_raw "httpRequest.uri" as uri

Query for Specific Blocked Request

Replace the requestId value with the actual blocked request ID you're investigating:

_source="aws-waf-logs-blocks-prod-rubk"
| json field=_raw "httpRequest.requestId"
| json field=_raw "httpRequest.uri" as uri
| json field=_raw "httpRequest.requestId" 
| where %"httpRequest.requestId" = "UQ7mdiY9eR67MhqizfApS8jNsup7d_WLMNuDDgw7PH4Vf6y0wl7wMw=="

Note: The requestId in the example above (UQ7mdiY9eR67MhqizfApS8jNsup7d_WLMNuDDgw7PH4Vf6y0wl7wMw==) should be replaced with the actual blocked request ID provided by the user.

Step 3: Analyze the Results

When you run the query, look for the following information:

Key Fields to Review

requestId: The unique identifier for the blocked request
uri: The URI that was being accessed when blocked
httpRequest: Contains detailed information about the request
terminatingRuleId: The WAF rule that blocked the request
action: The action taken (should be "BLOCK" for 403s)

Additional Useful Fields

You may want to expand your query to include:

_source="aws-waf-logs-blocks-prod-rubk"
| json field=_raw "httpRequest.requestId"
| json field=_raw "httpRequest.uri" as uri
| json field=_raw "httpRequest.clientIp" as clientIp
| json field=_raw "httpRequest.country" as country
| json field=_raw "httpRequest.headers" as headers
| json field=_raw "terminatingRuleId" as ruleId
| json field=_raw "action" as action
| where %"httpRequest.requestId" = "YOUR_REQUEST_ID_HERE"

Step 4: Common Troubleshooting Steps

1. Verify the Request Details

Check if the URI matches expected publisher request patterns
Verify the client IP is from an expected source
Review request headers for any suspicious patterns

2. Identify the Blocking Rule

Note the terminatingRuleId that caused the block
Research what this rule is designed to protect against
Determine if this is a legitimate block or false positive

3. Check for Patterns

Look for similar blocked requests from the same IP
Check if multiple request IDs are being blocked
Identify any timing patterns in the blocks

Step 5: Resolution Actions

For Legitimate Requests (False Positives)

Document the request details
Contact the WAF administrator
Request rule adjustment or whitelist addition
Provide evidence that the request is legitimate

For Suspicious Requests

Document the threat indicators
Verify the block was appropriate
Consider additional security measures if needed
Monitor for continued attempts

Quick Reference

Essential Information to Collect

Request ID (provided by user)
Timestamp of the blocked request
Source IP address
Requested URI
Blocking rule ID
User agent and headers

Contact Information

WAF Administrator: [Contact details to be added]
Security Team: [Contact details to be added]
SailPoint Access: [Contact details to be added]

Notes

Always replace the example request ID with the actual ID you're investigating
Keep request IDs confidential and follow data handling policies
Document your findings for future reference and pattern analysis