Enable Logging Rule for AWS WAFv2 Web ACLs
This rule requires logging to be enabled on AWS WAFv2 regional and global web access control lists.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Low |
Rule Details:
This rule requires that logging is enabled on AWS WAFv2 regional and global web access control lists (ACLs) for FedRAMP Moderate Revision 4 compliance. Logging enables the capture and analysis of web requests and allows for proactive monitoring and alerting of potential security incidents.
Enabling logging on AWS WAFv2 regional and global ACLs ensures that all web traffic and requests are logged, including malicious or suspicious activities. This data is crucial for security analysis, incident response, and compliance audits.
Remediation Steps:
- 1.
Identify AWS WAFv2 Regional and Global ACLs:
- Identify the AWS WAFv2 regional and global ACLs that need logging enabled. This can be done through the AWS management console or by using the AWS Command Line Interface (CLI) with the following command:
aws wafv2 list-web-acls - 2.
Enable Logging on ACLs:
- To enable logging on an ACL, navigate to the AWS WAFv2 management console.
- Select the desired ACL that requires logging.
- In the ACL settings, locate the "Logging Configuration" section and enable logging.
- Specify the desired logging destination, such as Amazon Kinesis Data Firehose or Amazon CloudWatch Logs.
- Configure additional logging parameters as per your requirements.
- Save the changes to enable logging on the selected ACL.
- 3.
Verify Logging Configuration:
- After enabling logging on the ACLs, ensure that the configuration is applied correctly.
- Check if the logging destination is receiving the logs.
- Review the logs for any errors or anomalies.
- 4.
Periodically Monitor Logs:
- Regularly monitor the logs from the logging destination for any suspicious activities or security incidents.
- Set up automated alerts or notifications to proactively respond to potential threats.
- Use log analysis tools or SIEM (Security Information and Event Management) solutions to perform in-depth analysis of the log data.
Troubleshooting Steps:
Issue: Logging is not enabled on ACLs
- 1.
Confirm AWS WAFv2 version:
- Ensure that you are using AWS WAFv2, as logging is not available on earlier versions.
- 2.
Check IAM permissions:
- Verify that the IAM (Identity and Access Management) user or role used to enable logging has the necessary permissions to modify and configure ACL logging settings.
- Ensure the user or role has the appropriate AWSWAFWebACLLoggingEnable policy attached.
- 3.
Review CloudWatch Logs and Kinesis Firehose configuration:
- If you are using CloudWatch Logs or Kinesis Firehose as the logging destination, check the configuration settings for any errors or misconfigurations.
- Ensure the correct CloudWatch Log Group or Kinesis Firehose delivery stream is specified.
- 4.
Validate ACL associations:
- Confirm that the ACLs are correctly associated with the desired AWS resources, such as Amazon CloudFront distributions or Application Load Balancers.
- Incorrect ACL associations may result in logging not being applied to the desired web traffic.
- 5.
Check for region-specific limitations:
- Some AWS services may have regional restrictions or limitations with regard to logging. Ensure you are using a supported region for logging.
- 6.
Review AWS WAFv2 documentation and forums:
- If the troubleshooting steps above do not resolve the issue, refer to the AWS WAFv2 documentation and AWS forum discussions for further guidance or to seek help from the AWS community.
Code:
No specific code is required for this rule. It involves enabling logging through the AWS WAFv2 management console and configuring the appropriate settings for the logging destination.