This rule ensures logging is enabled on AWS WAFv2 regional and global web access control lists.
Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ Low |
Logging for AWS WAFv2 Regional and Global Web ACLs
Description:
This rule dictates that logging should be enabled on AWS Web Application Firewall (WAFv2) regional and global web access control lists (ACLs) in accordance with the NIST 800-53 Revision 5 guidelines. Logging helps to maintain a record of traffic and potential security events, allowing for better analysis, monitoring, and compliance with security regulations.
Enabling logging on AWS WAFv2 regional and global web ACLs ensures that all incoming and outgoing traffic is logged, providing valuable information on potential attacks or suspicious activities. This information can be utilized for troubleshooting, forensic analysis, and auditing purposes.
Troubleshooting:
No specific troubleshooting steps are associated with this rule. However, if you encounter any issues while enabling logging on AWS WAFv2 regional and global web ACLs, it is advisable to follow the general troubleshooting steps outlined below:
Code:
No specific code snippets are required for this rule. However, enabling logging on AWS WAFv2 regional and global web ACLs can be accomplished using the AWS Command Line Interface (CLI) or AWS Management Console.
Step-by-step Guide:
To enable logging on AWS WAFv2 regional and global web ACLs, follow these steps:
Via AWS Management Console:
Via AWS CLI:
aws wafv2 update-web-acl \ --web-acl-arn <REGIONAL_WAF_ACL_ARN> \ --default-action \ block={} \ --visibility-config \ cloudwatch-metrics-enabled=true, \ metric-name=<METRIC_NAME>, \ sampled-requests-enabled=true, \ --logging-configuration \ log-destination-configurations=[ { "logDestinationType": "KINESIS_FIREHOSE", "logType": "ACCESS_LOGS", "logDestination": "<KINESIS_FIREHOSE_ARN>" } ]
Note: Replace
<REGIONAL_WAF_ACL_ARN>
, <METRIC_NAME>
, and <KINESIS_FIREHOSE_ARN>
with your specific values.aws wafv2 update-web-acl \ --web-acl-arn <GLOBAL_WAF_ACL_ARN> \ --default-action \ block={} \ --visibility-config \ cloudwatch-metrics-enabled=true, \ metric-name=<METRIC_NAME>, \ sampled-requests-enabled=true, \ --logging-configuration \ log-destination-configurations=[ { "logDestinationType": "KINESIS_FIREHOSE", "logType": "ACCESS_LOGS", "logDestination": "<KINESIS_FIREHOSE_ARN>" } ]
Note: Replace
<GLOBAL_WAF_ACL_ARN>
, <METRIC_NAME>
, and <KINESIS_FIREHOSE_ARN>
with your specific values.Conclusion:
Enabling logging on AWS WAFv2 regional and global web ACLs is crucial for enhanced security and compliance. By following the detailed instructions provided above, you can ensure that your WAFv2 ACLs are configured to log all traffic, facilitating effective monitoring and analysis of potential security events. Remember to regularly review the logs for any suspicious activities and maintain compliance with NIST 800-53 Revision 5 guidelines.