This rule mandates logging enabled for AWS WAFv2 regional and global web access control lists.
Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ Low |
Rule/Policy: Logging Enabled on AWS WAFv2 Regional and Global Web ACLs for NIST 800-53 Revision 5
Description:
This rule/policy ensures that logging is enabled on AWS Web Application Firewall Version 2 (WAFv2) regional and global web access control lists (ACLs) in compliance with the guidelines outlined in NIST 800-53 Revision 5. By enabling logging, you can capture important information about incoming requests to your web application, helping with security monitoring, analysis, and incident response.
Enabling logging on WAFv2 ACLs provides detailed insights into the traffic accessing your web application, including request details, IP addresses, timestamps, and more. These logs can be further analyzed using AWS services or integrated with third-party security information and event management (SIEM) tools.
Troubleshooting Steps:
In case logging is not enabled on the WAFv2 ACLs or there are issues with logging, follow the troubleshooting steps below:
Verify Logging Status: Check the status of logging for the WAFv2 ACLs and ensure that it is enabled. Access the AWS Management Console, navigate to the AWS WAFv2 service, and select the appropriate regional or global web ACL under the "Web ACLs" section. Ensure that the logging status is set to "Enabled" in the ACL settings.
Check IAM Permissions: Verify that the user or IAM role used to configure and manage the WAFv2 ACLs has the necessary permissions. Ensure that the IAM entity has the
wafv2:UpdateLoggingConfiguration
permission for the respective ACL.Check Log Delivery Configuration: Review the configuration of the log delivery mechanism associated with WAFv2 ACLs. Ensure that the appropriate logging destination (e.g., Amazon S3 bucket, Amazon Kinesis Data Firehose) is specified and correctly configured. Validate the permissions of the IAM entity used for log delivery.
Examine CloudWatch Logs: If logs are being delivered to CloudWatch Logs, verify that the log streams are receiving the data and there are no errors or issues with log ingestion. Review the logs for any potential error messages or warnings related to WAFv2 logging.
Review Resource Limits: Confirm that the WAFv2 ACLs have not reached their quota for logging-related resources. Check if the logging capacity and limits for WebACLLogDestination and LoggingFilter are within acceptable ranges. Adjust the limits if required.
Contact AWS Support: If the above troubleshooting steps do not resolve the logging issues, consider reaching out to AWS Support for further assistance. Provide them with relevant details and configuration information to expedite the resolution.
Code Example:
To enable logging on an AWS WAFv2 regional or global web ACL, you can use the AWS Command Line Interface (CLI) with the
update-web-acl
command. Here is an example code snippet:aws wafv2 update-web-acl \ --name <web-acl-name> \ --scope <scope> \ --default-action <default-action> \ --logging-configuration \ LogDestinationConfigs=["<log-destination-configs>"], \ RedactedFields=["<redacted-fields>"], \ LoggingFilter=<logging-filter>
Make sure to replace the placeholders (
<web-acl-name>
, <scope>
, <default-action>
, <log-destination-configs>
, <redacted-fields>
, <logging-filter>
) with the appropriate values specific to your WAFv2 ACL.Remediation Steps:
To enable logging on AWS WAFv2 regional or global web ACLs, follow these step-by-step remediation instructions:
Access the AWS Management Console: Log in to the AWS Management Console using valid credentials.
Navigate to AWS WAFv2: Go to the AWS WAFv2 service by either searching for "WAF" in the service search bar or finding it under "Security, Identity & Compliance" in the service menu.
Select the Regional or Global Web ACL: From the list of available web ACLs, choose the regional or global web ACL you want to enable logging for.
Edit Web ACL Settings: Click on the "Edit settings" button located at the top right corner of the details page to modify the web ACL configuration.
Enable Logging: Scroll down to the "Logging configuration" section and ensure that the "Logging status" toggle switch is set to "Enabled".
Configure Log Destination: Specify the appropriate logging destination by selecting one of the available options (e.g., AWS CloudWatch Logs, Amazon Kinesis Data Firehose, Amazon S3). Follow the on-screen instructions to configure the log delivery mechanism.
Customize Logging Filter (Optional): If needed, customize the logging filter to define specific conditions or filtering rules for the logs. This allows you to include or exclude specific requests from being logged based on defined criteria.
Review and Save: Double-check all the settings and configurations. Once satisfied, click on the "Save changes" button to apply the updates and enable logging for the selected web ACL.
Verify Logging Status: After saving the changes, ensure that the logging status of the web ACL is now displayed as "Enabled". This confirms that logging is successfully enabled for the selected web ACL.
By following these steps, you will enable the logging feature on an AWS WAFv2 regional or global web ACL, adhering to the requirements of NIST 800-53 Revision 5.