Errors shown on each resource for AWS WAF Classic/AWS WAF v2
AWS WAF ClassicAWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.
Overview
Credentials and WAF Configs are validated, and the results are shown on their details page. This article will explain each error and how to check them.
Errors shown on Credentials
Validation results are available under [State] for Credentials.
State details
Message | Description |
|---|---|
Unknown | This message is shown when the validation has not yet been completed. |
Validated | This message is shown when the validation is successful. |
Invalid Credential | This message is shown when the credential is invalid. |
Undefined Error | This message is shown when an unexpected error occurs. |
[Legacy rule policy] Errors that are shown on WAF Configs
For the Legacy rule policy, the validation results are available on items below in the WAF Configs.
- [Status] field under the [Basic configuration] in WAF Config details.
- This item shows the validation result for the WAF Config itself.
- Validation will return an error when credential information to access the web ACL or web ACL is missing.
- To revalidate the WAF Config, click the [Validate] button in the upper right corner of the WAF Config detail page.
- Web Site Config will not be revalidated.
- [Status] under the [Access log retrieval] section in the WAF Config details.
- This item shows the validation result for the Web Site Config.
- Validation will return an error when credential information to obtain access logs or the S3 bucket is missing.
- To revalidate the Web Site Config, click the [Validate] button shown on each Web Site Config on the [Log and Notification configuration] page.
- WAF Config will not be revalidated.
Details of the [Status] field under the [Basic configuration] in WAF Config
Message | Description |
|---|---|
Unknown | This message is shown when the validation has not yet been completed. |
Validated | This message is shown when the validation is successful. |
Invalid Credential | This message is shown when the credential is invalid. |
Insufficient permissions | This message is shown when permissions are insufficient. |
Web ACL not found | The message is shown when web ACLs are missing or cannot be found. |
Undefined Error | This message is shown when an unexpected error occurs. |
Details of the [Status] field under the [Access log retrieval] in WAF Config
Message | Description |
|---|---|
Unknown | This message is shown when the validation has not yet been completed. |
Validated | This message is shown when the validation is successful. |
Invalid Credential | This message is shown when the credential is invalid. |
Insufficient permissions | This message is shown when permissions are insufficient. |
S3 bucket not found | This message is shown when S3 buckets cannot be found. |
Access log not found | This message is shown when access logs cannot be found. |
Undefined Error | This message is shown when an unexpected error occurs. |
[Advanced rule policy] Errors that are shown on WAF Configs
For the Advanced rule policy, the status of the WAF Config is shown under the [Status] field in [Basic configuration] tab of the WAF Config details.
Message | Description |
|---|---|
Unknown | This message is shown when the validation has not yet been completed. |
Success | This message is shown when the validation is successful. |
Error: Invalid Credential | This message is shown when the credential is invalid. |
Error: Insufficient permissions | This message is shown when permissions are insufficient. |
Error: Web ACL not found | The message is shown when web ACLs are missing or cannot be found. |
Error: Log config not found | This message is shown when the log configurations cannot be found. |
Error: Undefined Error | This message is shown when an unexpected error occurs. |
Error: Apply failed | This message is shown when the rule application fails. This error will not be listed if any of the above errors are occurring simultaneously. |
Error overview and examples of causes
Below are the examples of each error. These are just some examples, and errors could be caused by other reasons. If you see an error, please check your configurations.
To revalidate your resources after solving the causes, please implement the following measures.
- For Credential Stores: click the [Validate] button on the top right corner of the Credential Store details page.
- For Legacy rule policy
- WAF Config's Status: Click the [Validate] button at the top right corner of the WAF Config details page.
- Web Site Config's Status: Click the [Validate Web Site Setting] button on each Web Site Config under the [Log and Notification configuration] tab.
- For Advanced rule policy: Click the [Reapply] button on the top right corner of the WAF Config details page.
Invalid Credential
This message shows that the registered credential information is invalid.
This error may occur if there are mistakes in registered values or the information is deleted in the AWS management console.
Please check if the information registered in the Credential Store matches those in the AWS management console.
Insufficient permissions
This message shows that the permissions attached to an IAM policy are insufficient.
Please attach the permissions below to use WafCharm.
- For the old plan
- AWSWAFFullAccess
- AmazonS3ReadOnlyAccess
- For the new plan
- AWSWAFFullAccess
- AmazonS3ReadOnlyAccess
- CloudWatchReadOnlyAccess
Please note that we recommend restricting the S3 bucket WafCharm can access on the AmazonS3ReadOnlyAccess permission.
For AWS WAF-related permission, please attach AWSWAFFullAccess because feature additions and updates could cause the permissions to become insufficient without full access. If you have concerns about the permission, please use the AssumeRole method, which is a more secure way to provide permissions.
In addition, please specify * in the Resource for AWS WAF permissions.
Web ACL not found
This message shows that the resources cannot be found. For example, this error can occur if you delete the web ACL before deleting the WAF Config.
S3 bucket not found
This message shows that the target resources cannot be found.
Please check the values specified in the S3 Path fields and if the S3 bucket exists in your AWS management console.
Access log not found
This message shows that the target resources cannot be found.
Please check the values specified in the S3 Path fields and if access logs are outputted to the target S3 bucket.
Log config not found
This message shows that the resources cannot be found. For example, this error can occur if the AWS WAF's Logging configuration is disabled or if WAF logs are not directly outputted to S3 buckets.
Apply failed
This message is shown when the WafCharm rule application fails. For example, this error can occur when you are using the reserved priority with rules other than WafCharm's intended rules.
Undefined Error
This message shows that none of the errors above apply or that there is an unexpected error.
Clicking the [Validate] or [Reapply] button to revalidate the resources could solve the issue. If clicking on the button does not solve the issue, please contact the WafCharm support team with the information listed below.
For Credential Stores
- The name of the target Credential Store.
For Legacy rule policy/Advanced rule policy's WAF Configs
- Name of the target WAF Config.
For Legacy rule policy's Web Site Config
- Name of the target WAF Config.
- The FQDN value specified in the target Web Site Config.