AWS WAF v2New PlanFeature / Spec.Managed Rule Plus
This page explains the errors that may appear on the resources used in Managed Rules Plus.
Validation results are displayed in the [State] field for each registered Credential.
Message | Description |
|---|---|
Unknown | Displayed when validation has not yet been performed. |
Validated | Displayed when validation is successful. |
Invalid Credential | Displayed when the credential information is invalid. |
Undefined Error | Displayed when an unexpected error occurs. |
The state of each WAF Config is shown in the [Status] field under the [Basic Configuration] tab of the WAF Config details page.
Message | Description |
|---|---|
Unknown | Displayed when validation has not yet been performed. |
Success | Displayed when validation is successful. |
Error: Invalid Credential | Displayed when the credential information is invalid. |
Error: Insufficient permissions | Displayed when the required permissions are missing. |
Error: Web ACL not found | Displayed when the specified web ACL cannot be found. |
Error: Log config not found | Displayed when WAF log retrieval settings cannot be located. |
Error: Undefined error | Displayed when an unexpected error occurs that doesn’t fall into any of the categories above. |
Error: Apply failed | Displayed when rule application fails. This message will not appear if any of the above errors are also present. |
The [CSC MR Configuration] tab does not include a [Status] field but may display messages based on errors shown in the WAF Config’s [Status] or notifications related to rule priority settings.
Message | Description |
|---|---|
Verified | Displayed when the configuration is as expected. |
The priority for CSC Managed Rules must be adjusted to 1000 or higher. | Displayed when CSC Managed Rules are not assigned a priority of 1000 or higher. |
Your custom rules need to be adjusted to the 0-99 or 1000+ range. | Displayed when user-defined rules (excluding CSC Managed Rules) are not within the 0–99 or 1000+ priority range. Whether this message appears depends on the priority assigned to CSC Managed Rules. |
CSC Managed Rules Not Configured. | Displayed when CSC Managed Rules are not applied to the target web ACL. Managed Rules Plus can still be used, but this message cannot be hidden. |
Error: Web ACL Not Found | Displayed when the specified web ACL cannot be found. |
Error: Invalid Credentials | Displayed when the credential information is invalid. |
Error: Undefined Error | Displayed when an unexpected error occurs that doesn’t fall into any of the categories above. |
Below are examples of possible causes for each error. Please note that these are only examples, and errors may appear due to other reasons as well. If an error is displayed, please review your configuration settings accordingly.
After resolving the cause of the error, take the following actions to revalidate the configuration:
This message indicates that the credential information registered in the Credential Store is invalid.
The error may appear if the registered values are incorrect or if the credentials were deleted from the AWS Management Console.
Please verify that the information registered in the Credential Store matches the credentials currently set in the AWS Management Console.
This message indicates that the IAM role or user associated with the credential does not have all the required AWS-managed permissions.
To use Managed Rules Plus, the following permissions must be granted:
For the AmazonS3ReadOnlyAccess permission, we recommend limiting access from Managed Rules Plus to only the necessary S3 buckets.
Please attach AWSWAFFullAccess to avoid permission issues that may arise due to feature updates or changes in AWS WAF. If you are concerned about granting full access, consider using the AssumeRole method, which offers a more secure way to manage permissions.
Additionally, please ensure that Resource is set to * in the AWS WAF-related policy.
This message indicates that the target resource cannot be found. For example, this error may appear if the web ACL was deleted before the associated WAF Config was deleted.
This message indicates that the required resource could not be found. For example, this error may occur if WAF logging is not configured in the AWS WAF logging settings.
This message indicates that the application of rules provided by Managed Rules Plus has failed. For example, this may occur if a priority intended to be used by MR Plus is already assigned to a different rule.
This message is displayed when CSC Managed Rules are not assigned a priority of 1000 or higher. CSC Managed Rules are designed to be used with priorities starting from 1000. To resolve this, please click the [Change Rule Priority] button or follow the steps in About rule priorities of Managed Rules Plus to update the priority.
This message is displayed when the priority assigned to your custom rules does not match the values expected by Managed Rules Plus. Except for the rules provided by Managed Rules Plus or CSC Managed Rules, user-defined rules are expected to follow a specific priority range. If the priority order does not meet this expectation, this message will be shown.
Please assign a priority of 0–99 or 1000 or higher to user-defined rules (including AWS Managed Rules), and 1000 or higher to CSC Managed Rules.
For more information about rule priorities, please refer to About rule priorities of Managed Rules Plus.
Please note that placing CSC Managed Rules at a priority of 1000 or higher takes precedence. Even if user-defined rules are not in the expected range, if CSC Managed Rules are placed below 1000, the message The priority for CSC Managed Rules must be adjusted to 1000 or higher. will be displayed instead.
This message is displayed when CSC Managed Rules are not applied to the target web ACL. While Managed Rules Plus recommends using CSC Managed Rules together, they are not required unless needed for your environment.
However, if CSC Managed Rules are not configured, this message cannot be hidden.
This message indicates that none of the above errors apply, or that an unexpected system error has occurred, such as when WAF logs are not being directly output to an S3 bucket.
In Managed Rules Plus, this error may also appear under the [CSC MR Configuration] tab if the AWSWAFFullAccess permission is missing.
You may be able to resolve the issue by clicking the [Validate], [Reapply], or [Change Rule Priority] button to trigger revalidation. If the issue persists after multiple attempts, please contact our support team with the information listed below so we can investigate further.