Rule: Logging should be enabled on AWS WAFv2 web ACLs
Ensure logging is enabled on AWS WAFv2 regional and global web access control lists.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Low |
Logging for AWS WAFv2 Regional and Global Web ACLs for FedRAMP Moderate Revision 4
Rule Description
This rule requires that logging is enabled on AWS Web Application Firewall (WAF) Version 2 (WAFv2) regional and global Web Access Control Lists (ACLs) for the FedRAMP Moderate security level, as per the specifications outlined in Revision 4 of the FedRAMP Moderate requirements.
Troubleshooting Steps
There may be instances where logging is not enabled or encounters issues while attempting to enable it for AWS WAFv2 regional and global Web ACLs. Here are some troubleshooting steps to resolve the issues:
- 1.
Verify IAM Permissions: Ensure that the user or role attempting to enable logging has the necessary permissions to modify AWS WAFv2 ACL settings and create related resources.
- 2.
Check Firewall Availability: Make sure that the Web ACL is accessible and available in the desired region or globally. If it's not available, create a new Web ACL.
- 3.
Check Logging Configuration: Validate the logging configuration settings to ensure they are correctly defined. Verify the destination S3 bucket and the desired CloudWatch logging level.
- 4.
Verify Resource Associations: Ensure that the Web ACL is correctly associated with the desired resources, such as AWS CloudFront distributions or Application Load Balancers (ALBs).
- 5.
Review Error Messages: If any error messages are encountered during the logging enablement process, examine them carefully to identify the root cause. Common errors could include permission issues, invalid bucket policies, or incorrect configurations.
Necessary Codes
There are no specific codes required for enabling logging on AWS WAFv2 regional and global Web ACLs. However, you can use the AWS Command Line Interface (CLI) or AWS Management Console to perform the required actions.
Step-by-Step Guide for Remediation
Follow these steps to enable logging on AWS WAFv2 regional and global Web ACLs for FedRAMP Moderate Revision 4:
- 1.
AWS Console: a. Open the AWS Management Console and navigate to the AWS WAFv2 service. b. Select the desired region or the Global default web ACL. c. Identify the Web ACL you want to enable logging for and click on its name. d. Click on the "Logging & Publishing" tab. e. Enable logging by toggling the "Enable logging" option. f. Configure the desired logging destination by selecting an existing S3 bucket or creating a new one. g. Set the appropriate logging level based on your requirements. h. Click "Save changes" to apply the logging configuration.
- 2.
AWS CLI: a. Open the AWS CLI on your local machine or terminal. b. Run the following command to enable logging on a regional Web ACL:
Replaceaws wafv2 update-web-acl --name <web-acl-name> --scope REGIONAL --logging-configuration file://logging-config.json
with the actual name of the Web ACL you want to enable logging for.<web-acl-name>c. For enabling logging on a global Web ACL, run the following command:
Replaceaws wafv2 update-web-acl --name <web-acl-name> --scope CLOUDFRONT --logging-configuration file://logging-config.json
with the actual name of the Web ACL you want to enable logging for.<web-acl-name>d. Create a JSON file called
with the following content:logging-config.json
Replacejson { "logDestinationConfigs": [ { "logDestinationType": "S3", "logDestination": "arn:aws:s3:::<bucket-name>" } ], "redactedFields": { "fieldToMatches": [ { "type": "URI" } ] } }
with the name of your S3 bucket that will store the logs.<bucket-name>e. Run the appropriate command based on the Web ACL scope (regional or global) to enable logging.
Follow these steps to enable logging on AWS WAFv2 regional and global Web ACLs for FedRAMP Moderate Revision 4. Ensure you have the necessary permissions and prerequisites in place before attempting to enable logging.