Waf Charm



Resource State and resolving errors

Table of Contents

  1. 1. Introduction
  2. 2. What is Resource State?
  3. 3. Resource State placements and messages
  4. 4. Invalid credential
  5. 5. Insufficient permissions
  6. 6. Resource not found
  7. 7. Undefined error
  8. 8. Conclusion

1. Introduction

We released the Credential Store feature on 03/23/2023 (JST).
Reference: About Credential Store

In this release, we have also updated the Web ACL Config and Web Site Config's resource validation system, and you can now revalidate and view the validation results from the WafCharm dashboard.

In this blog post, we will take a look at the overview of Resource State and how to solve an error.

2. What is Resource State?

We ask you to provide the access permissions using AssumeRole or access key/secret key so WafCharm can apply rules, etc.

We also revalidate the permissions because if it's insufficient, WafCharm cannot apply rules.

Before the release, you couldn't see the validation results or were unclear, but now you can check the state of the given permission using Resource State.

In addition, we have added a Validation button for you to check if WafCharm can continue to access your resource after adjusting the settings in the AWS management console.

3. Resource State placements and messages

For Web ACL Config, Resource State is shown at the bottom of other items.
Validate button is available beside the Delete button at the top of the page.

For Web Site Config, Resource State is shown after the S3 Path.
The Validate button is placed the same as Web ACL Config.

Messages shown for Resource State are as below.

Validation Results Description
Unknown Resource validation has not been completed.
Validated Resource validation was successful.

*For Web ACL Config, this only means that WafCharm can access your resources. The result does not indicate that the WafCharm rules were applied correctly.

*For Web Site Config, this indicates that the S3 bucket is accessible. This does not indicate that WafCharm can obtain access logs from the specified S3 Path.

Invalid credential Credentials like access key and AssumeRole related information is invalid.
Insufficient permissions Permissions are insufficient. Check the configurations like IAM policies.
XXX not found The specified resource is not found.
Undefined error Errors that are not defined above.

In the following sections, we will take a look at the causes and solutions of each error message.

4. Invalid credential

Invalid credential means that the information registered in the Credential Store is incorrect.

In the case of AssumeRole, having an incorrect ARN or a mistake in trust policy could result in this error.

For the access key/secret key, the values of the keys could be incorrect.

In either case, ensure that the information registered in the Credential Store and AWS management console are equivalent to each other.

5. Insufficient permissions

Insufficient permissions mean that permissions given in IAM policy are insufficient.

We ask that you give us "AWSWAFFullAccess," "AmazonS3ReadOnlyAccess," and "CloudWatchReadOnlyAccess" to use WafCharm.
*We recommend limiting the resources for S3 bucket permissions ("AmazonS3ReadOnlyAccess”). Refer to the blog post IAM policies required to use WafCharm for more details.

We recommend using "AWSWAFFullAccess" for AWS WAF, because permissions could become insufficient with feature releases and updates. If you are concerned about giving permissions, consider using AssumeRole which is a more secure way to authenticate.

Additionally, please use "*" for the Resource of AWS WAF policy.

6. Resource not found

XXX not found messages indicate that the specified resources cannot be found.

In the case of Web ACL Config, XXX will be replaced with Web ACL.
For example, the error is returned when the region specified in the Web ACL Config is not the same as the region the Web ACL is actually created in or when the Web ACL ID entered in the initial creation is incorrect.

For Web Site Config, XXX can be replaced with an S3 bucket or access log.

When the specified S3 Path is incorrect, the error S3 bucket not found is returned.
When access logs cannot be found, the access logs may not be available yet. Check the validation results again after you've accessed your website/web service and the logs are created.

7. Undefined error

An undefined error indicates that the returned error did not match any of the above or was unexpected.

Revalidation may solve the issue.
If the undefined error cannot be resolved even after revalidating multiple times, please contact the support team for investigation with the information below.

  • Web ACL Name
  • Web Site Config

If your S3 buckets are in specific regions*, Resource State in Web Site Config may show an unexpected error. In that case, please contact the WafCharm support team with the name of the region you’ve selected.
*The specific regions refer to opt-in regions that are unavailable in the AWS console by default. Please see the list of non-default regionsfor more details.

8. Conclusion

With this Credential Store release, validation results are easier to understand.

Previously, you could accidentally take away the given permission when adjusting configurations in the AWS management console. Now, you can revalidate the credentials using the Validate button by yourself and fix the issue.

We hope the new features can benefit you when checking the configurations in WafCharm and AWS.