Rule: Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
This rule ensures that logging is enabled on AWS WAFv2 regional and global web access control lists to enhance security.
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
Rule Description
The rule requires that logging is enabled on AWS WAFv2 regional and global web access control lists (ACLs) for CISA-cyber-essentials. This is done to ensure that all web traffic entering and leaving the network is logged for improved visibility and security monitoring.
Enabling logging allows the capture of important information such as HTTP requests, IP addresses, timestamps, and other relevant details for analysis and investigation in case of security incidents or compliance audits.
Troubleshooting Steps
If logging is not enabled on AWS WAFv2 regional and global web ACLs, follow these troubleshooting steps:
- 1.
Verify WAFv2 ACLs: Confirm that the web ACLs under consideration are actually managed by AWS WAFv2 and not a different WAF solution.
- 2.
Review Logging Configurations: Check the current logging configurations for the ACLs to verify if logging is enabled or disabled.
- 3.
Check IAM Permissions: Ensure that the user or role attempting to enable logging has the necessary IAM permissions to do so. Specifically, they should have the
permission to modify the logging settings.wafv2:UpdateLoggingConfiguration - 4.
AWS WAFv2 API Authentication: Make sure that the AWS CLI or SDK used for enabling logging is properly authenticated with valid credentials.
- 5.
Verify CloudWatch Logs Configuration: Ensure that the appropriate CloudWatch Logs destination is configured to receive the WAF logs. This includes setting up a log group and log stream to capture the logging data.
- 6.
Verify Correct ACLs: Verify that the correct regional and global web ACLs are being modified for logging configuration.
Code Example
Here is an example of AWS CLI command to enable logging on a regional web ACL:
aws wafv2 update-logging-configuration --name <your-web-acl-name> --scope REGIONAL --logging-configuration '{ "LogDestinationConfigs": [ "<your-cloudwatch-logs-arn>" ], "RedactedFields": [] }'
Replace
<your-web-acl-name><your-cloudwatch-logs-arn>Note: Repeat the same command for global web ACLs, but change
--scopeCLOUDFRONTStep-by-step Guide for Remediation
- 1.
Open the AWS Command Line Interface (CLI) or a compatible terminal.
- 2.
Authenticate to the AWS CLI using an IAM user or role with the required permissions to modify the logging configurations for AWS WAFv2 ACLs.
- 3.
Identify the regional web ACLs that need logging enabled.
- 4.
Run the following AWS CLI command to enable logging on a regional web ACL:
aws wafv2 update-logging-configuration --name <your-web-acl-name> --scope REGIONAL --logging-configuration '{ "LogDestinationConfigs": [ "<your-cloudwatch-logs-arn>" ], "RedactedFields": [] }'
Replace
<your-web-acl-name><your-cloudwatch-logs-arn>- 1.
Verify the command executed successfully and that logging is now enabled on the regional web ACLs.
- 2.
Repeat steps 3-5 for global web ACLs. However, adjust the command by changing
to--scope
.CLOUDFRONT - 3.
Monitor the CloudWatch Logs for incoming data and ensure that the logs are being populated correctly.
It is recommended to regularly review the generated logs in CloudWatch Logs to identify any suspicious activity and maintain a secure and compliant environment.