Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Enabling Logging Rule for AWS WAFv2 Web ACL

This rule ensures logging enabled on AWS WAFv2 regional and global web access control lists (ACLs).

RuleLogging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
FrameworkNIST 800-171 Revision 2
Severity
Low

Rule Description:

To comply with NIST 800-171 Revision 2, logging should be enabled on AWS Web Application Firewall (WAFv2) regional and global web access control lists (ACLs). Enabling logging on these ACLs allows for monitoring and analysis of web traffic, enhancing security measures, and aiding in incident response.

Troubleshooting Steps:

If logging is not enabled on the AWS WAFv2 regional and global ACLs, follow these troubleshooting steps:

  2. 1.
    Verify the current logging configuration of the ACLs.
  4. 2.
    Check if the required IAM permissions are set for the AWS WAFv2 service and the associated log storage.
  6. 3.
    Ensure that the Kinesis Firehose delivery stream is correctly configured to receive and stream the logs.
  8. 4.
    Confirm that the firewall configurations are properly set up and activated.
  10. 5.
    Review the AWS CloudWatch Logs and Kinesis Data Firehose for any errors or issues related to logging.

Necessary Codes:

Here are the necessary codes to enable logging on AWS WAFv2 regional and global ACLs:

--name <acl-name>
--scope REGIONAL
--logging-configuration '{"LogDestinationConfigs": ["arn:aws:kinesisfirehose:<region>:<account-id>:deliverystream/<firehose-stream-name>"]}'```

```aws wafv2 update-web-acl
--name <acl-name>
--scope CLOUDFRONT
--logging-configuration '{"LogDestinationConfigs": ["arn:aws:kinesisfirehose:<region>:<account-id>:deliverystream/<firehose-stream-name>"]}'```

Replace `<acl-name>` with the name of the ACL, `<region>` with the desired AWS region, `<account-id>` with your AWS account ID, and `<firehose-stream-name>` with the name of the Kinesis Firehose delivery stream.

# Step by Step Guide for Remediation:

Follow these steps to enable logging on AWS WAFv2 regional and global ACLs:

1. Identify the name of the ACL on which you want to enable logging.
2. Determine the AWS region where the ACL is located.
3. Confirm the AWS account ID associated with the AWS WAFv2 service and the Kinesis Firehose delivery stream.
4. Create or ensure the existence of a Kinesis Firehose delivery stream for receiving the logs.
5. Configure the necessary IAM permissions for the AWS WAFv2 service and the associated log storage.
6. Open the AWS Command Line Interface (CLI) or AWS Management Console.
7. Execute the appropriate `update-web-acl` command based on the ACL's scope (REGIONAL or CLOUDFRONT) and provide the required parameter values.
8. Verify the successful execution of the command.
9. Monitor the AWS CloudWatch Logs and Kinesis Data Firehose for incoming logs.
10. Ensure that the logging process is functioning as expected and troubleshoot any errors or issues if encountered.

By following these steps, you can enable logging on AWS WAFv2 regional and global ACLs as outlined by the NIST 800-171 Revision 2.

Is your System Free of Underlying Vulnerabilities?
Find Out Now