I want to troubleshoot HTTP 403 forbidden errors that my Application Load Balancer returns.
Resolution
Complete the resolution method that fits your use case.
Important: Before you begin, make sure that you turn on access logging for your Application Load Balancer. For instructions, see Enable access logs for your Application Load Balancer. Note that errors that occur before the access logs are turned on aren't recorded.
An AWS WAF web access control list (web ACL) is configured to monitor requests to your Application Load Balancer and it blocked a request.
The load balancer records HTTP error information in access logs and then increments the HTTPCode_ELB_4XX_Count metric. Check access logs for an AWS WAF action similar to the following:
elb_status_code = 403
target_status_code = -
actions_executed = waf
This means that the load balancer forwarded the request to AWS WAF to determine whether to forward the request to the target. Then, AWS WAF determined to reject the request. To diagnose the rule configuration, review the AWS WAF logs. For more information, see Web ACL logging configuration.
The Application Load Balancer has a rule configured with a fixed-response action to provide an HTTP 403 response.
Check the access logs for a fixed-response action similar to the following:
elb_status_code = 403
target_status_code = -
actions_executed = fixed-response
This log shows that the rule configuration has the fixed-response action to provide an HTTP 403 error.
The target responded with an HTTP 403 error and the Application Load Balancer is forwarding this response to the client.
Check the access logs for 403 entries for values that are similar to the following:
elb_status_code = 403
target_status_code = 403
If the target_status_code and elb_status_code values match, then the target application sent the HTTP 403 response. To determine why the target application generated the HTTP 403 forbidden error, check with your application vendor. To trace requests through the Application Load Balancer, use the X-Amzn-Trace-Id header. For more information, see How do I use X-Amzn-Trace-Id to trace an Application Load Balancer request?
Related information
Troubleshoot your Application Load Balancers
HTTP 403: Forbidden