


 Resolution
-----------



Follow these troubleshooting steps for your scenario.


**Important:** Before you begin, make sure that you have access logging enabled for your Application Load Balancer. For instructions, see [Enable access logging](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging).



###  An AWS WAF web access control list (web ACL) is configured to monitor requests to your Application Load Balancer and it blocked a request.



The load balancer sends HTTP errors to access logs and increments the [HTTPCode\_ELB\_4XX\_Count](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-troubleshooting.html#load-balancer-http-error-codes) metric similar to the following:





```plaintext
elb_status_code = 403
target_status_code = -
actions_executed = waf
```



This means that the load balancer forwarded the request to AWS WAF to determine whether the request should be forwarded to the target. Then, AWS WAF determined that the request should be rejected. To diagnose the rule configuration, review the AWS WAF logs. For more information, see [Managing logging for a web ACL](https://docs.aws.amazon.com/waf/latest/developerguide/logging-management.html).



###  The Application Load Balancer might have a rule configured with a fixed-response action to provide an HTTP 403 response.



Check the access logs for a [fixed-response](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#actions-taken) action similar to the following:





```plaintext
elb_status_code = 403
target_status_code = -
actions_executed = fixed-response
```



This log indicates that the rule configuration has a fixed-response action to provide an HTTP 403 error.



###  The target responded with an HTTP 403 error and the Application Load Balancer is forwarding this response to the client.



Check the access logs for 403 entries for values similar to the following:





```plaintext
elb_status_code = 403
target_status_code = 403
```



If the **target\_status\_code** and **elb\_status\_code** values match, then the target application sent the HTTP 403 response. To determine why the target application generated the HTTP 403 forbidden error, check with your application vendor. You can also use the **X-Amzn-Trace-Id** header to trace requests through the Application Load Balancer. For more information, see [How do I trace an Application Load Balancer request using X-Amzn-Trace-Id?](https://repost.aws/knowledge-center/trace-elb-x-amzn-trace-id)





---




 Related information
--------------------



[Troubleshoot your Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-troubleshooting.html)


[HTTP 403: Forbidden](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-troubleshooting.html#http-403-issues)







My Application Load Balancer is returning HTTP 403 forbidden errors. How can I troubleshoot this?

Troubleshoot Application Load Balancer HTTP 403 forbidden errors

How do I troubleshoot Application Load Balancer HTTP 403 forbidden errors?

Networking & Content Delivery

How do I troubleshoot Application Load Balancer HTTP 403 forbidden errors?

Resolution

An AWS WAF web access control list (web ACL) is configured to monitor requests to your Application Load Balancer and it blocked a request.

The Application Load Balancer might have a rule configured with a fixed-response action to provide an HTTP 403 response.

The target responded with an HTTP 403 error and the Application Load Balancer is forwarding this response to the client.

Related information

Relevant content