- Newest
- Most votes
- Most comments
I understand you're experiencing issues with AWS CloudFront blocking access to various websites for your customers, resulting in "403 Forbidden" errors. This situation is likely related to AWS WAF (Web Application Firewall) protections applied to the CloudFront distributions serving these websites. Here's some information that might help explain the situation and potential steps for resolution:
-
AWS WAF Integration: CloudFront can be integrated with AWS WAF to protect web applications from common web exploits and control access to content. This includes the ability to block requests based on IP addresses or ranges.
-
IP-based Blocking: It's possible that the IP range associated with your data center has been added to a block list in the AWS WAF rules protecting these CloudFront distributions. This could be due to detected malicious activity from IPs within your range, or as a precautionary measure by the website owners.
-
Common Protections: AWS WAF often includes protections against potential threats based on Amazon's internal threat intelligence, defenses against common web vulnerabilities (like those in the OWASP Top 10), and measures to prevent malicious actors from discovering application vulnerabilities.
-
Resolution Steps:
- As you're not the direct AWS customer, you'll need to work with the owners of the websites your customers are trying to access.
- Encourage these website owners to review their AWS WAF rules and CloudFront security settings.
- They should check if there are any IP-based rules that might be inadvertently blocking your data center's IP range.
- If legitimate traffic is being blocked, they may need to adjust their rules to allow access from your IP range while maintaining protection against actual threats.
- Ongoing Monitoring: Even after resolving the current issue, it's important to maintain good security practices in your network to prevent future blocks. Ensure that no malicious traffic is originating from your IP range, as this could lead to future blocks.
Remember, the website owners have the control over their CloudFront and WAF settings, so cooperation with them will be crucial in resolving this issue. If the problem persists after working with the website owners, they may need to contact AWS Support for further assistance in fine-tuning their security settings.
Sources
Use AWS WAF protections - Amazon CloudFront
Data protection in Amazon CloudFront - Amazon CloudFront
Introducing CloudFront Security Dashboard, a Unified CDN and Security Experience | Networking & Content Delivery
It most likely means your IPs have been added on one of the managed IP lists, which a large fraction of WAF users is using to block access from sources with obvious bad intentions, or from data centre networks in cases where the site is meant for corporate end users or other limited groups known not to be making requests from known data centre locations: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html
The contents of the lists AWS uses aren't public, but you could quickly check how your IP is classified by well-known IP reputation and geolocaion providers that show some information they have for your IP for free:
If they're classifying your IPs as an anonymiser, proxy, or VPN network, for example, that could be indirectly indicative of how AWS might also have classified your network.
Hi Leo,
Thank you so much!
I've just run the tests, and it looks like there's an issue with the "Match: HostingProviderIPList." Do you know how I can fix it?
Okay, that's surprising. The HostingProviderIPList documented in the earlier links contains known data centre and hosting provider IPs, which doesn't imply that your network would have a bad reputation. It only indicates that your network is a hosting provider network, which some sites block as an unlikely origin of end user traffic.
If the target sites are blocking hosting provider networks intentionally, the only options would be to ask them to reconsider or allow-list your IPs, or to obtain new IP ranges and ASN dedicated to providing connectivity to end users and not using them to host servers or data centre workloads. AWS won't be able to help, because your IPs are correctly classified in the managed IP set.
Hi Leo,
Thank you so much for your help.
You’re right - AWS is treating our CIDR blocks as a hosting provider, which is why the rule is matching and blocking the traffic. We'll reach out to AWS Enterprise Support to address this issue, and I'll get back to you once it's resolved.
Kind Regards Walber
Relevant content
- Accepted Answerasked 6 months ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
Thank you for your assistance.
We have just looked up our IP addresses on these websites, and they are classified as "hosting." We would like AWS to advise us on what we need to address, as our access is legitimate.
kind regards
Walber
@Walber I set up a test CloudFront distribution that'll check if you're on one of the five standard AWS-provided IP lists and if so, tells you which one is the first to match in the order the documentation page lists them, or a geo-match or "No IP list was matched" if none of them matched: https://deb7j5mx9nudh.cloudfront.net/