Rule: Logging should be enabled on AWS WAFv2 ACLs
Ensure logging is enabled on AWS WAFv2 regional and global web access control lists.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Low |
Rule Description:
To align with the security requirements outlined in NIST 800-171 Revision 2, logging should be enabled on AWS WAFv2 regional and global web access control lists (ACLs). This rule ensures that all access attempts to the ACLs are logged, providing valuable insights into potential security incidents and enabling effective incident response.
Enabling logging on the ACLs allows you to monitor, analyze, and review the access logs, which include information such as source IP addresses, timestamps, request methods, and URLs. By collecting this data, you can identify patterns of suspicious activity, detect attempted attacks, and gain visibility into overall access to your resources.
Troubleshooting Steps:
If you encounter any issues while enabling logging on AWS WAFv2 regional and global web access control lists, follow these troubleshooting steps:
- 1.
Verify IAM Permissions: Ensure that the IAM user or role you are using to configure the ACLs has the necessary permissions to modify logging settings. This includes the
permission.wafv2:UpdateLoggingConfiguration - 2.
Check WAFV2 Logging Capacity: Confirm that you have available logging capacity in the AWS WAFv2 WebACL Logging Capacity. If you have reached the logging limit, you may need to increase it or consider rotating the logs more frequently.
- 3.
Check CloudWatch Log Group: Ensure that the CloudWatch Log Group specified for storing the ACL logs exists. If not, create a new Log Group in the desired region.
- 4.
Verify WAF ACL Configuration: Double-check the ACL configuration to ensure that the correct ACL is selected for logging. Confirm that all relevant rules are included in the ACL and that they are properly configured.
- 5.
Review CloudTrail and CloudWatch for Errors: Check the AWS CloudTrail logs and CloudWatch Logs for any error messages related to modifying the logging configuration. These logs can provide insights into any issues that may prevent enabling logging on the ACLs.
- 6.
Reach Out to Support: If you have followed the troubleshooting steps and are still unable to enable logging on the ACLs, contact AWS Support for further assistance.
Necessary Codes:
There are no specific codes required for enabling logging on AWS WAFv2 regional and global web access control lists. However, you can use the AWS CLI or AWS Management Console to perform the necessary configuration steps.
Step-by-Step Guide for Remediation:
Follow these steps to enable logging on AWS WAFv2 regional and global web access control lists:
- 1.
Open the AWS WAFv2 management console: https://console.aws.amazon.com/wafv2/
- 2.
Select the desired AWS Region from the top-right corner of the console.
- 3.
In the navigation pane, click on "WebACLs" to view the existing web access control lists.
- 4.
Identify the regional and global web ACLs that need logging enabled, and note down their names.
- 5.
Open the AWS CloudWatch Logs console in a new tab: https://console.aws.amazon.com/cloudwatch/
- 6.
In the CloudWatch Logs console, click on "Log groups" in the navigation pane.
- 7.
Verify that a log group corresponding to the ACLs' logging exists. If not, create a new log group in the desired AWS Region.
- 8.
Return to the AWS WAFv2 console.
- 9.
Click on the regional web ACL that you want to enable logging for.
- 10.
In the web ACL details page, click on the "Logging" tab.
- 11.
Click on "Edit Logging Configuration" and select "Enabled" for the desired log destination.
- 12.
Choose the appropriate log group from the dropdown menu and click "Save Logging Configuration."
- 13.
Repeat steps 9-12 for the global web ACL, if applicable.
- 14.
Once logging is enabled, you can navigate back to the CloudWatch Logs console to view and analyze the logs.
Ensure that you regularly review these logs to stay informed about the activity on your web access control lists and maintain compliance with NIST 800-171 Revision 2 requirements.