Rule: Logging should be enabled on AWS WAFv2 ACLs
Ensure logging is enabled on AWS WAFv2 regional and global web ACLs for enhanced security measures.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Low |
Rule Description:
Enabling logging on AWS WAFv2 regional and global web access control lists (ACLs) is necessary to ensure compliance with GxP 21 CFR Part 11 regulations. Logging provides a detailed record of all web traffic that passes through the ACLs, allowing for effective monitoring, analysis, and auditing of security events. By activating logging, administrators can gain insights into potential security breaches, track unauthorized access attempts, and maintain an accurate trail of actions taken within the system.
Troubleshooting Steps:
If there are any issues with enabling logging on AWS WAFv2 regional and global ACLs, the following troubleshooting steps can be performed:
- 1.
Check AWS WAFv2 Configurations: Verify that the WAFv2 configurations are correctly set up, including the creation of regional and global ACLs.
- 2.
Verify Logging Configuration: Ensure that the logging configuration for the ACLs is correctly specified. Check the destination for logs, such as Amazon CloudWatch Logs, to guarantee that the ACLs are correctly linked to the logging service.
- 3.
IAM Permissions: Verify that the IAM user or role used to enable logging has the necessary permissions to access and write logs to the designated logging service.
- 4.
CloudWatch Logs Permissions: Confirm that IAM permissions provide the necessary permissions to write logs to CloudWatch Logs. The IAM policy should include the "logs:CreateLogGroup" and "logs:CreateLogStream" actions.
- 5.
Double-Check ACL Association: Ensure that the regional and global ACLs are correctly associated with the desired resources, such as Amazon API Gateway or Application Load Balancer.
Necessary Codes:
- 1.To enable logging using AWS Command Line Interface (CLI) for regional ACLs:
aws wafv2 update-web-acl \ --name <ACL_NAME> \ --scope REGIONAL \ --default-action ALLOW \ --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=<METRIC_NAME> \ --logging-configuration LogDestinationConfigs=<CLOUDWATCH_LOG_ARN>
- 1.To enable logging using AWS CLI for global ACLs:
aws wafv2 update-web-acl \ --name <ACL_NAME> \ --scope CLOUDFRONT \ --default-action ALLOW \ --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=<METRIC_NAME> \ --logging-configuration LogDestinationConfigs=<CLOUDWATCH_LOG_ARN>
Make sure to replace the placeholders with appropriate values:
: The name of the access control list.<ACL_NAME>
: The desired name for the CloudWatch metric.<METRIC_NAME>
: The Amazon Resource Name (ARN) of the CloudWatch Logs destination.<CLOUDWATCH_LOG_ARN>
Step-by-Step Guide for Remediation:
Follow the step-by-step guide below to enable logging on AWS WAFv2 regional and global web access control lists:
- 1.Log in to the AWS Management Console.
- 2.Open the AWS WAFv2 service.
- 3.Select "Web ACLs" from the sidebar menu.
- 4.Locate the regional or global web ACL for which logging needs to be enabled.
- 5.Copy the ACL name, as it will be required in the CLI command.
- 6.Determine the desired CloudWatch metric name to be associated with the logs.
- 7.Obtain the Amazon Resource Name (ARN) of the target CloudWatch Logs destination.
- 8.Open the AWS Command Line Interface (CLI) or alternative terminal with AWS CLI configured.
- 9.Select the appropriate code snippet based on the ACL scope (regional or global) and replace the placeholders with actual values.
- 10.Execute the CLI command to enable logging by running the updated command.
- 11.Verify that the command executes successfully and returns an appropriate response.
- 12.Validate the configuration by reviewing the AWS Management Console to ensure the ACL shows enabled logging and is associated with the correct log destination.
- 13.Perform regular checks on the CloudWatch Logs to monitor the generated logs and take necessary actions based on the logged events.
- 14.Repeat the process for additional regional or global ACLs if required.
By following these steps, you can enable logging on AWS WAFv2 regional and global web access control lists, ensuring compliance with GxP 21 CFR Part 11 regulations while maintaining a secure environment.