Waf Charm

Blog

WafCharm

Possible causes for failing to get access logs in WafCharm for AWS

Table of Contents

  1. 1. Introduction
  2. 2. Access Denied errors due to S3 setting
  3. 3. Denial by IAM
  4. 4. Conclusion

1. Introduction

You will need to set up your environment to allow WafCharm to get access logs in order to use WafCharm for AWS.
We occasionally get questions from users about not being able to provide access logs even though they followed the procedure for IAM and S3 settings.
This post explains some of the possible causes for the issues you might encounter.

If you cannot find any misconfigurations even if you check the IAM permissions and S3 Path, please refer to the information below.

2. Access Denied errors due to S3 setting

For the S3 setting, you can find the official troubleshooting information for Access Denied error below.

How do I troubleshoot 403 Access Denied errors from Amazon S3?

If the S3 setting is causing trouble, below are some of the key points you could check for:

  • Amazon S3 Block Public Access settings
  • Amazon S3 access point's IAM policy
  • AWS KMS encryption configuration
  • Request-payer parameter if you're using Requester Pays

Check if any of these settings are enabled and make sure any permissions are affecting the access denied errors.

For example, we have received inquiries related to this issue in the past and found that settings in AWS KMS encryption configuration was the cause. When the user used CLI to access S3 with the credentials entered in WafCharm dashboard, they had the permission for ListObject (listing of files in a bucket), but they did not have the permission for GetObject (reading of files).
This issue was solved by adding the IAM user in KMS key policy.

3. Denial by IAM

IAM settings can be done over several policies and having an explicit deny will result in an access denied error.

Determining whether a request is allowed or denied within an account

The chart from official AWS document above is helpful.

Ensure that there are no explicit denial in any policies below:

  • Organizations SCPs
  • Resource-based policies
  • IAM permissions boundaries
  • Session policies
  • Identity-based policies (settings for users and roles generally understood as IAM)

4. Conclusion

In this blog, we looked at the troubleshooting tips for S3 and IAM settings. In regards to WafCharm, when there are failures with transferring access logs, misconfigurations listed below could be present:

  • Misentered information in set up
  • Necessary information is not provided (i.e. wrong IAM information)

If you have checked the settings but cannot figure out the cause, please refer to this blog for tips.