Logging Rule for AWS WAFv2 Web ACLs
This rule ensures logging is enabled on AWS WAFv2 regional and global web access control lists.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
Rule Description
The rule states that logging should be enabled on AWS WAFv2 regional and global web access control lists (ACLs) for CISA-cyber-essentials. Enabling logging helps in monitoring and analyzing web traffic, allowing security teams to detect and respond to potential security threats.
Troubleshooting
If logging is not enabled on the specified web access control lists, follow the troubleshooting steps below:
- 1.
Verify AWS WAFv2 ACL: Ensure that the AWS WAFv2 ACL in question is properly configured and associated with the desired resources (e.g., Amazon API Gateway, Application Load Balancer, etc.).
- 2.
Check Logging Configuration: Confirm whether logging is already enabled or not. If not, proceed with the remediation steps mentioned below.
Remediation Steps
To enable logging on AWS WAFv2 regional and global web access control lists, follow the step-by-step guide below:
Step 1: Access AWS WAFv2 Console
- 1.Sign in to the AWS Management Console.
- 2.Open the AWS WAFv2 console.
Step 2: Select Web ACL
- 1.In the AWS WAFv2 console, navigate to the "Web ACLs" tab.
- 2.Select the desired web access control list (ACL) where logging needs to be enabled.
Step 3: Enable Logging
- 1.In the selected web ACL configuration, click on the "Logging and monitoring" tab.
- 2.Under the "Logs" section, click on the "Create Log Destination" button.
- 3.Provide a suitable name for the log destination.
- 4.Choose the desired logging storage location, such as Amazon Kinesis Data Firehose or Amazon CloudWatch Logs.
- 5.Configure the log format as per your organization's requirements.
- 6.Choose the appropriate IAM role or create a new one with the necessary permissions for logging.
- 7.Click on the "Create" button to enable logging.
Step 4: Configure Logging Data
- 1.After creating the log destination, specify the desired settings for logging:
- Log sample rate: Determine the percentage of requests to include in the logs.
- Redacted fields: Select the fields to be redacted from the logs to avoid mishandling sensitive data.
- Logging filters: Set up logging filters based on specific criteria (optional).
- Custom request/response headers: Include or exclude specific headers from the logging.
- 2.Click on the "Save" button to apply the logging configuration.
Step 5: Verify Logging
- 1.Once logging is enabled, wait for a sufficient time to gather some logging data.
- 2.Validate that the logs are being generated and stored in the chosen logging storage location (e.g., CloudWatch Logs or Kinesis Data Firehose).
- 3.Analyze the logged data to ensure it captures the desired information and aligns with your organization's security requirements.
Additional Recommendations
Here are a few additional recommendations to enhance your logging and monitoring capabilities:
- Regularly review the generated logs to detect any anomalies or suspicious activities.
- Integrate AWS WAFv2 logging with a Security Information and Event Management (SIEM) system for centralized monitoring and analysis.
- Implement automated alerting mechanisms whenever specific patterns or attack vectors are detected in the logs.
- Periodically review and update the ACL configurations to account for any changes in the applications or security policies.
Conclusion
Enabling logging on AWS WAFv2 regional and global web access control lists is crucial for effective security monitoring and incident response. By following the provided remediation steps, you can ensure that the desired logs are generated and stored, assisting in identifying potential threats and maintaining a secure environment.
! Remember to adhere to your organization's security policies and compliance requirements while enabling logging on AWS WAFv2 ACLs.