Rule: Logging Should Be Enabled on AWS WAFv2 Web Access Control Lists
This rule emphasizes enabling logging on AWS WAFv2 regional and global web ACLs to enhance security measures.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Low |
Rule Description
The rule requires enabling logging on AWS Web Application Firewall Version 2 (WAFv2) for both regional and global Web Access Control Lists (ACLs) in compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5.
Troubleshooting Steps
If you encounter any issues while enabling logging on AWS WAFv2 regional and global ACLs, you can follow these troubleshooting steps:
- 1.
Ensure you have the necessary permissions: Check if your AWS Identity and Access Management (IAM) user or role has the required permissions to enable logging on the WAFv2 ACLs.
- 2.
Verify WAFv2 configuration: Double-check your WAFv2 configuration to ensure that the ACLs are properly deployed and associated with the desired resources.
- 3.
Check for conflicting resources: Make sure there are no conflicting resources, such as other services or AWS managed rules, that might interfere with enabling logging on the ACLs.
- 4.
Review CloudWatch Logs configuration: Check if the appropriate CloudWatch Logs configuration is in place for storing the WAFv2 logs.
- 5.
Review AWS WAF logs in CloudWatch: If the logs are not appearing in CloudWatch, review the WAFv2 logging configurations in AWS CloudFormation and AWS WAF Logging Monitor to identify any potential issues.
Necessary Codes
The following AWS Command Line Interface (CLI) commands can be used to enable logging on AWS WAFv2 regional and global ACLs:
- 1.To enable logging on a regional ACL:
aws wafv2 update-web-acl \ --web-acl-id <acl-id> \ --scope REGIONAL \ --default-action 'Allow { "CustomRequestHandling": { "InsertHeaders": [ { "Name": "x-amzn-WAF-Logging-Action", "Value": "ENABLED" } ] } }'
- 1.To enable logging on a global ACL:
aws wafv2 update-web-acl \ --web-acl-id <acl-id> \ --scope CLOUDFRONT \ --default-action 'Allow { "CustomRequestHandling": { "InsertHeaders": [ { "Name": "x-amzn-WAF-Logging-Action", "Value": "ENABLED" } ] } }'
Step-by-Step Guide for Remediation
Follow the step-by-step guide to enable logging on AWS WAFv2 regional and global ACLs:
- 1.
Identify the regional ACL: Determine the web ACL ID of the regional ACL you want to enable logging for.
- 2.
Enable logging on a regional ACL:
- Open the AWS CLI or any CLI tool with access to the AWS account.
- Execute the following AWS CLI command, replacing
with the web ACL ID identified in step 1:<acl-id>aws wafv2 update-web-acl \ --web-acl-id <acl-id> \ --scope REGIONAL \ --default-action 'Allow { "CustomRequestHandling": { "InsertHeaders": [ { "Name": "x-amzn-WAF-Logging-Action", "Value": "ENABLED" } ] } }'
- 3.
Identify the global ACL: Determine the web ACL ID of the global ACL you want to enable logging for.
- 4.
Enable logging on a global ACL:
- Open the AWS CLI or any CLI tool with access to the AWS account.
- Execute the following AWS CLI command, replacing
with the web ACL ID identified in step 3:<acl-id>aws wafv2 update-web-acl \ --web-acl-id <acl-id> \ --scope CLOUDFRONT \ --default-action 'Allow { "CustomRequestHandling": { "InsertHeaders": [ { "Name": "x-amzn-WAF-Logging-Action", "Value": "ENABLED" } ] } }'
- 5.
Verify the changes: Check the AWS WAFv2 console or use CLI commands to confirm that logging is enabled for the regional and global ACLs as intended.
Conclusion
By following the troubleshooting steps and executing the necessary CLI commands, you can successfully enable logging on AWS WAFv2 regional and global ACLs in compliance with NIST 800-53 Revision 5.