Logging Rule for AWS WAFv2 Web ACLs
This rule mandates enabling logging on AWS WAFv2 regional and global web access control lists.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Low |
Rule Description:
The rule requires logging to be enabled on AWS Web Application Firewall v2 (WAFv2) for both regional and global web access control lists (ACLs) in accordance with the NIST 800-53 Revision 5 security standard. Enabling logging helps in monitoring and analyzing web traffic, identifying potential security threats, and investigating any security incidents that may occur.
Troubleshooting Steps:
- 1.Verify WAFv2 ACLs: Ensure that WAFv2 ACLs are properly configured and associated with the desired web resources.
- 2.Check Logging Configuration: Confirm logging is not already enabled on the ACLs.
- 3.Verify IAM Permissions: Ensure that the IAM user or role associated with managing the WAFv2 has the necessary permissions to enable logging.
- 4.Review CloudWatch Logs: Check the CloudWatch Logs for any relevant logs related to web access and security incidents.
Necessary Code:
There are different ways to enable logging on WAFv2 ACLs depending on your requirements and AWS resources. Here, we will provide sample AWS CLI commands for enabling logging on regional and global ACLs.
Enable Logging on Regional ACL:
aws wafv2 update-web-acl --name <ACL_Name> --scope REGIONAL --id <ACL_ID> --logging-configuration 'LogDestinationConfigs=["arn:aws:logs:<region>:<account_id>:log-group:<log_group_name>:*"]'
Replace the placeholders enclosed in angle brackets (<>) with appropriate values:
: The name of the regional ACL.<ACL_Name>
: The ID of the regional ACL.<ACL_ID>
: The AWS region where the logs are to be stored.<region>
: Your AWS account ID.<account_id>
: The name of the CloudWatch Logs group where the logs will be stored.<log_group_name>
Enable Logging on Global ACL:
aws wafv2 update-web-acl --name <ACL_Name> --scope CLOUDFRONT --id <ACL_ID> --logging-configuration 'LogDestinationConfigs=["arn:aws:logs:<region>:<account_id>:log-group:<log_group_name>:*"]'
Replace the placeholders enclosed in angle brackets (<>) with appropriate values:
: The name of the global ACL.<ACL_Name>
: The ID of the global ACL.<ACL_ID>
: The AWS region where the logs are to be stored.<region>
: Your AWS account ID.<account_id>
: The name of the CloudWatch Logs group where the logs will be stored.<log_group_name>
Step-by-Step Guide for Remediation:
- 1.Identify the regional and global ACLs associated with your AWS WAFv2 configuration.
- 2.Open the AWS Command Line Interface (CLI) or any equivalent CLI tool.
- 3.Verify IAM Credentials: Ensure you have the necessary IAM credentials with appropriate permissions to manage the WAFv2 ACLs.
- 4.Execute the necessary command to enable logging on the regional ACL. Use the provided code snippet for enabling logging on a regional ACL and replace the placeholders with actual values.
- 5.Execute the necessary command to enable logging on the global ACL. Use the provided code snippet for enabling logging on a global ACL and replace the placeholders with actual values.
- 6.Verify Logs: After enabling logging, check the CloudWatch Logs for the respective log group to ensure that the logs are being generated properly.
- 7.Monitor and Analyze Logs: Utilize AWS services like Amazon Athena or Amazon Elasticsearch to query and analyze the logs for security insights.
- 8.Regularly check the logs to identify any potential security threats or anomalies.
- 9.If any issues are encountered, refer to the troubleshooting steps provided earlier to diagnose and resolve them.
By following the above steps, logging on the AWS WAFv2 regional and global web access control lists will be successfully enabled, ensuring compliance with the NIST 800-53 Revision 5 security requirements.