Enable Logging Rule for AWS WAFv2 Web ACLs
Ensure logging is enabled on AWS WAFv2 regional and global web ACLs to enhance security and compliance measures.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Low |
Description:
The rule requires enabling logging on the AWS Web Application Firewall v2 (WAFv2) regional and global web access control lists (ACLs) for Federal Financial Institutions Examination Council (FFIEC). Logging helps to capture and analyze traffic information, allowing organizations to gain insights into potential security threats and comply with regulatory requirements.
Troubleshooting Steps:
If there are any issues with enabling logging on the FFIEC web ACLs, follow these troubleshooting steps:
- 1.
Verify IAM Permissions: Ensure that the user or role performing the action has the necessary permissions to modify the web ACL logging settings. The required permissions are: wafv2:UpdateLoggingConfiguration and wafv2:AssociateLoggingConfiguration.
- 2.
Check WAFv2 Web ACL State: Ensure that the web ACL for FFIEC is in the "ACTIVE" state. If it's not active, the modification to enable logging might fail. Wait until the status changes to "ACTIVE" and retry the logging configuration.
- 3.
Logging Quota Exceeded: In case the AWS account has reached the logging quota limit, you will need to upgrade the account's logging limits or clear out some logs to make additional space available.
Necessary Codes:
No specific codes are required for enabling logging on AWS WAFv2 web ACLs. However, the following AWS Command Line Interface (CLI) commands can be used to manage the logging configuration for FFIEC web ACLs:
- 1.To create a logging configuration:
aws wafv2 create-logging-configuration --name <logging-configuration-name> --logging-configuration <logging-options>
- 1.To associate a logging configuration with a web ACL:
aws wafv2 associate-logging-configuration --resource-arn <web-acl-arn> --logging-configuration <logging-configuration-arn>
- 1.To update a web ACL's logging configuration:
aws wafv2 update-logging-configuration --resource-arn <web-acl-arn> --logging-configuration <logging-configuration-arn>
- 1.To disassociate a logging configuration from a web ACL:
aws wafv2 disassociate-logging-configuration --resource-arn <web-acl-arn>
Remediation Steps:
To enable logging on AWS WAFv2 regional and global web ACLs for FFIEC, follow the step-by-step guide below:
- 1.
Create a Logging Configuration:
- Open the AWS Command Line Interface (CLI) or AWS Management Console.
- Create a JSON file with the desired logging configuration options (e.g., log format, Amazon S3 bucket name, etc.).
- Execute the command "aws wafv2 create-logging-configuration" with the appropriate parameters to create the logging configuration.
- 2.
Associate Logging Configuration with Web ACLs:
- Obtain the Amazon Resource Name (ARN) of the FFIEC web ACL for regional and global scopes.
- Execute the command "aws wafv2 associate-logging-configuration" for each web ACL, providing the ARN of the logging configuration created in the previous step.
- 3.
Verify Logging Configuration:
- Check the logging configuration details using the AWS CLI or AWS Management Console.
- Ensure that the logging configuration is associated with the correct FFIEC web ACLs.
- 4.
Test Logging:
- Submit test requests to your application protected by the FFIEC web ACL.
- Verify that the logs are being generated and stored in the specified Amazon S3 bucket.
- Review the logs to ensure they contain the relevant information for compliance and security analysis.
By following these steps, you can successfully enable logging on AWS WAFv2 regional and global web ACLs for FFIEC, aiding in compliance and security auditing.