Rule for Enabling Logging on AWS WAFv2 Web ACLs
This rule ensures logging is enabled on AWS WAFv2 regional and global web access control list (ACLs).
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Low |
Rule Description
The rule requires enabling logging on AWS Web Application Firewall version 2 (WAFv2) regional and global web access control lists (ACLs) to comply with the NIST 800-171 Revision 2 security standard. Logging provides visibility into the traffic patterns, events, and potential security threats on the WAFv2 ACLs.
Troubleshooting Steps
- 1.
Verify WAFv2 ACLs: Check if WAFv2 ACLs are implemented correctly and associated with the desired resources.
- 2.
Verify WAFv2 logging configuration: Ensure that logging is enabled for the WAFv2 ACLs.
- 3.
Review CloudWatch Logs: Analyze CloudWatch Logs for any error messages related to WAFv2 logging.
- 4.
Check IAM permissions: Ensure that the IAM user or role used to enable logging has the necessary permissions to access WAFv2 and CloudWatch Logs.
Necessary Codes
No specific code snippets are required for this rule. However, the AWS Command Line Interface (CLI) commands are provided for further steps.
Remediation Steps
Follow these steps to enable logging on AWS WAFv2 regional and global web access control lists:
- 1.
Open the AWS Management Console and navigate to the AWS WAFv2 service.
- 2.
Select the desired WAFv2 ACL.
- 3.
Click on the "Logging" tab.
- 4.
Enable logging: Toggle the respective button to "On" or select the logging configuration you desire.
- 5.
Choose an existing Amazon S3 bucket or create a new one to store the logs.
- 6.
Configure log retention period: Choose the retention period for CloudWatch Logs.
- 7.
Click on the "Save" or "Update" button to apply the changes.
CLI Commands
If you prefer using the AWS CLI, you can use the following commands to enable logging for WAFv2 ACLs:
- 1.List WAFv2 regional ACLs:
aws wafv2 list-web-acls --scope REGIONAL
- 1.List WAFv2 global ACLs:
aws wafv2 list-web-acls --scope CLOUDFRONT
- 1.Enable logging for a WAFv2 ACL:
aws wafv2 put-logging-configuration --resource-arn arn:aws:wafv2:us-west-2:123456789012:regional/webacl/abcdabcd-abcd-abcd-abcd-abcdabcdabcd --logging-configuration '{ "LogDestinationConfigs": ["arn:aws:logs:us-west-2:123456789012:log-group:/aws/wafv2/WebACLLogGroup:*"], "RedactedFields": [ { "FieldToMatch": { "UriPath": {} } } ] }'
Note: Replace the
resource-arnLogDestinationConfigs- 1.Verify the logging status:
aws wafv2 get-logging-configuration --resource-arn arn:aws:wafv2:us-west-2:123456789012:regional/webacl/abcdabcd-abcd-abcd-abcd-abcdabcdabcd
This command returns the logging configuration details for the specified WAFv2 ACL.
Conclusion
Enabling logging on AWS WAFv2 regional and global web access control lists is essential for NIST 800-171 Revision 2 compliance. By following the provided steps or using the AWS CLI commands, you can ensure that your WAFv2 ACLs are properly configured to generate logs, which enable better security monitoring and threat detection.