Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)

This rule ensures logging is enabled on AWS WAFv2 regional and global web access control lists.

RuleLogging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
FrameworkNIST 800-53 Revision 5
Severity
Low

Logging for AWS WAFv2 Regional and Global Web ACLs

Description:

This rule dictates that logging should be enabled on AWS Web Application Firewall (WAFv2) regional and global web access control lists (ACLs) in accordance with the NIST 800-53 Revision 5 guidelines. Logging helps to maintain a record of traffic and potential security events, allowing for better analysis, monitoring, and compliance with security regulations.

Enabling logging on AWS WAFv2 regional and global web ACLs ensures that all incoming and outgoing traffic is logged, providing valuable information on potential attacks or suspicious activities. This information can be utilized for troubleshooting, forensic analysis, and auditing purposes.

Troubleshooting:

No specific troubleshooting steps are associated with this rule. However, if you encounter any issues while enabling logging on AWS WAFv2 regional and global web ACLs, it is advisable to follow the general troubleshooting steps outlined below:

  1. 1.
    Ensure that you have the necessary permissions to modify WAFv2 ACL configurations.
  2. 2.
    Verify that the target regional and global ACLs are properly configured and activated.
  3. 3.
    Check AWS CloudTrail logs for any error messages related to logging configuration.
  4. 4.
    Review AWS WAFv2 documentation and official AWS forums for specific troubleshooting guidance.

Code:

No specific code snippets are required for this rule. However, enabling logging on AWS WAFv2 regional and global web ACLs can be accomplished using the AWS Command Line Interface (CLI) or AWS Management Console.

Step-by-step Guide:

To enable logging on AWS WAFv2 regional and global web ACLs, follow these steps:

Via AWS Management Console:

  1. 1.
    Log in to the AWS Management Console:
    • Region-specific URL: https://console.aws.amazon.com/wafv2/
    • Global URL: https://global.console.aws.amazon.com/wafv2/
  2. 2.
    Navigate to the "Web ACLs" section.
  3. 3.
    Select the target regional or global web ACL you want to enable logging for.
  4. 4.
    Click on the "Edit" button or select "Edit Web ACL" from the context menu.
  5. 5.
    Expand the "Logging configuration" section.
  6. 6.
    Enable logging by toggling the switch to the "ON" position.
  7. 7.
    Configure the logging destination as per your requirements, selecting either Amazon Kinesis Data Firehose or Amazon CloudWatch Logs.
  8. 8.
    Specify the desired logging details such as the log format, log destination ARN, and sampling rate.
  9. 9.
    Click "Save" or "Apply changes" to save the logging configuration.
  10. 10.
    Repeat these steps for other regional or global web ACLs.

Via AWS CLI:

  1. 1.
    Open the AWS CLI or AWS CloudShell.
  2. 2.
    Use the following command to enable logging on a regional web ACL:
aws wafv2 update-web-acl \
    --web-acl-arn <REGIONAL_WAF_ACL_ARN> \
    --default-action \
        block={} \
    --visibility-config \
        cloudwatch-metrics-enabled=true, \
        metric-name=<METRIC_NAME>, \
        sampled-requests-enabled=true, \
    --logging-configuration \
        log-destination-configurations=[
            {
                "logDestinationType": "KINESIS_FIREHOSE",
                "logType": "ACCESS_LOGS",
                "logDestination": "<KINESIS_FIREHOSE_ARN>"
            }
        ]

Note: Replace

<REGIONAL_WAF_ACL_ARN>
,
<METRIC_NAME>
, and
<KINESIS_FIREHOSE_ARN>
with your specific values.

  1. 1.
    Use the following command to enable logging on a global web ACL:
aws wafv2 update-web-acl \
    --web-acl-arn <GLOBAL_WAF_ACL_ARN> \
    --default-action \
        block={} \
    --visibility-config \
        cloudwatch-metrics-enabled=true, \
        metric-name=<METRIC_NAME>, \
        sampled-requests-enabled=true, \
    --logging-configuration \
        log-destination-configurations=[
            {
                "logDestinationType": "KINESIS_FIREHOSE",
                "logType": "ACCESS_LOGS",
                "logDestination": "<KINESIS_FIREHOSE_ARN>"
            }
        ]

Note: Replace

<GLOBAL_WAF_ACL_ARN>
,
<METRIC_NAME>
, and
<KINESIS_FIREHOSE_ARN>
with your specific values.

  1. 1.
    Repeat these commands for other regional or global web ACLs.

Conclusion:

Enabling logging on AWS WAFv2 regional and global web ACLs is crucial for enhanced security and compliance. By following the detailed instructions provided above, you can ensure that your WAFv2 ACLs are configured to log all traffic, facilitating effective monitoring and analysis of potential security events. Remember to regularly review the logs for any suspicious activities and maintain compliance with NIST 800-53 Revision 5 guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now