Overview

Credentials and WAF Configs are validated, and the results are shown on their details page. This article will explain each error and how to check them.

Errors shown on Credentials

Validation results are available under [State] for Credentials.

State details

Message	Description
Unknown	Displayed when validation has not yet been performed.
Validated	Displayed when validation is successful.
Invalid Credential	Displayed when the credential information is invalid.
Undefined Error	Displayed when an unexpected error occurs.

[Legacy rule policy] Errors that are shown on WAF Configs

For the Legacy rule policy, the validation results are available on items below in the WAF Configs.

[Status] field under the [Basic configuration] in WAF Config details.
- This item shows the validation result for the WAF Config itself.
- Validation will return an error when credential information to access the web ACL or web ACL is missing.
- To revalidate the WAF Config, click the [Validate] button in the upper right corner of the WAF Config detail page.
  - Web Site Config will not be revalidated.
[Status] under the [Access log retrieval] section in the WAF Config details.
- This item shows the validation result for the Web Site Config.
- Validation will return an error when credential information to obtain access logs or the S3 bucket is missing.
- To revalidate the Web Site Config, click the [Validate] button shown on each Web Site Config on the [Log and Notification configuration] page.
  - WAF Config will not be revalidated.

Details of the [Status] field under the [Basic configuration] in WAF Config

Message	Description
Unknown	Displayed when validation has not yet been performed.
Validated	Displayed when validation is successful.
Invalid Credential	Displayed when the credential information is invalid.
Insufficient permissions	Displayed when required permissions are missing.
Web ACL not found	Displayed when the web ACL cannot be found or does not exist.
Undefined Error	Displayed when an unexpected error occurs that does not fall into the categories above.

Details of the [Status] field under the [Access log retrieval] in WAF Config

Message	Description
Unknown	Displayed when validation has not yet been completed.
Validated	Displayed when validation is successful.
Invalid Credential	Displayed when the credential is invalid.
Insufficient permissions	Displayed when the required permissions are missing.
S3 bucket not found	Displayed when the specified S3 bucket cannot be found.
Access log not found	Displayed when the access logs cannot be found.
Undefined Error	Displayed when an unexpected error occurs that doesn’t match other categories.

[Advanced rule policy] Errors that are shown on WAF Configs

For the Advanced rule policy, the status of the WAF Config is shown under the [Status] field in [Basic configuration] tab of the WAF Config details.

Message	Description
Unknown	Displayed when validation has not yet been performed.
Success	Displayed when validation is successful.
Error: Invalid Credential	Displayed when the credential information is invalid.
Error: Insufficient permissions	Displayed when the required permissions are missing.
Error: Web ACL not found	Displayed when the specified web ACL cannot be found.
Error: Log config not found	Displayed when WAF log retrieval settings cannot be located.
Error: Undefined error	Displayed when an unexpected error occurs that doesn’t fall into any of the categories above.
Error: Apply failed	Displayed when rule application fails. This message will not appear if any of the above errors are also present.

Error overview and examples of causes

Below are the examples of each error. These are just some examples, and errors could be caused by other reasons. If you see an error, please check your configurations.

To revalidate your resources after solving the causes, please implement the following measures.

For Credential Stores: click the [Validate] button on the top right corner of the Credential Store details page.
For Legacy rule policy
- WAF Config's Status: Click the [Validate] button at the top right corner of the WAF Config details page.
- Web Site Config's Status: Click the [Validate Web Site Setting] button on each Web Site Config under the [Log and Notification configuration] tab.
For Advanced rule policy: Click the [Reapply] button on the top right corner of the WAF Config details page.

Invalid Credential

This message indicates that the credential information registered in the Credential Store is invalid.

The error may appear if the registered values are incorrect or if the credentials were deleted from the AWS Management Console.

Please verify that the information registered in the Credential Store matches the credentials currently set in the AWS Management Console.

Insufficient permissions

This message indicates that the IAM role or user associated with the credential does not have all the required AWS-managed permissions.

To use WafCharm, the following permissions must be granted:

For the old plan
- AWSWAFFullAccess
- AmazonS3ReadOnlyAccess
For the new plan
- AWSWAFFullAccess
- AmazonS3ReadOnlyAccess
- CloudWatchReadOnlyAccess

For the AmazonS3ReadOnlyAccess permission, we recommend limiting access from WafCharm to only the necessary S3 buckets.

Please attach AWSWAFFullAccess to avoid permission issues that may arise due to feature updates or changes in AWS WAF. If you are concerned about granting full access, consider using the AssumeRole method, which offers a more secure way to manage permissions.
Additionally, please ensure that Resource is set to * in the AWS WAF-related policy.

Web ACL not found

This message indicates that the target resource cannot be found. For example, this error may appear if the web ACL was deleted before the associated WAF Config was deleted.

S3 bucket not found

This message shows that the target resources cannot be found.

Please check the values specified in the S3 Path fields and if the S3 bucket exists in your AWS management console.

Access log not found

This message shows that the target resources cannot be found.

Please check the values specified in the S3 Path fields and if access logs are outputted to the target S3 bucket.

Log config not found

This message indicates that the required resource could not be found. For example, this error may occur if WAF logging is not configured in the AWS WAF logging settings.

Apply failed

This message indicates that the application of rules provided by WafCharm has failed. For example, this may occur if a priority intended to be used by WafCharm is already assigned to a different rule.

Undefined Error

This message indicates that none of the above errors apply, or that an unexpected system error has occurred, such as when WAF logs are not being directly output to an S3 bucket.

You may be able to resolve the issue by clicking the [Validate], [Reapply], or [Change Rule Priority] button to trigger revalidation. If the issue persists after multiple attempts, please contact our support team with the information listed below so we can investigate further.

For Credential Stores

Name of the target Credential Store.

For Legacy rule policy/Advanced rule policy's WAF Configs

Name of the target WAF Config.

For Legacy rule policy's Web Site Config

Name of the target WAF Config.
The FQDN value specified in the target Web Site Config.

Errors shown on each resource for AWS WAF Classic/AWS WAF v2