Enable Logging for AWS WAFv2 Web ACLs Rule
Ensure logging is enabled for AWS WAFv2 regional and global web access control list (ACLs).
| Rule | Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Low |
Logging Enabled for AWS WAFv2 Regional and Global Web ACLs for FedRAMP Low Revision 4
Description:
This rule enforces the logging configuration to be enabled for the AWS WAFv2 regional and global Web Access Control Lists (ACLs) that are being used for FedRAMP Low Revision 4.
Troubleshooting Steps:
If logging is not enabled for the mentioned AWS WAFv2 regional and global Web ACLs, follow these troubleshooting steps:
- 1.
Check if the Web ACLs associated with the resources are configured properly: Ensure that the correct Web ACLs are associated with the relevant AWS resources.
- 2.
Verify if the logging configuration is enabled: Check the logging settings for the AWS WAFv2 regional and global Web ACLs. Logging should be enabled for both regional and global ACLs.
Necessary Code:
No specific code is required for this rule. The logging configuration needs to be managed through the AWS Management Console or AWS Command Line Interface (CLI).
Remediation Steps:
To enable logging for AWS WAFv2 regional and global Web ACLs, follow the step-by-step guide below:
- 1.
Navigate to the AWS WAFv2 console: Go to the AWS Management Console and select the AWS WAF & Shield service.
- 2.
Select Regional or Global Web ACL: Choose either the regional or global Web ACL depending on your requirements.
- 3.
Enable Logging: Under the Logging and Monitoring section, click on "Edit" to modify the logging configuration.
- 4.
Set up Kinesis Firehose delivery stream: In the logging configuration, select "Kinesis Firehose delivery stream" as the delivery channel.
- 5.
Select a delivery stream and role: Choose an existing Kinesis Firehose delivery stream from the list or create a new one. Select an IAM role that allows AWS WAFv2 to write logs to the chosen delivery stream.
- 6.
Save the changes: After completing the configuration, click on "Save" to apply the logging settings to the Web ACL.
- 7.
Perform Testing: Verify if the logging is successfully enabled by performing a test request to the protected AWS resource. Check if the logs are being delivered to the configured Kinesis Firehose delivery stream.
CLI Command for Remediation:
If you prefer to use the AWS Command Line Interface (CLI) to enable logging for AWS WAFv2 regional and global Web ACLs, follow the steps below:
- 1.
Open AWS CLI: Launch the AWS CLI on your local machine or use AWS CloudShell.
- 2.
Run the following command: Execute the following AWS CLI command to enable logging for a Web ACL:
aws wafv2 update-web-acl \ --name <WebACL Name> \ --scope <WebACL Scope> \ --id <WebACL ID> \ --default-action 'Allow {}' \ --logging-configuration 'ResourceArn=<Resource ARN>,LogDestinationConfigs=<Delivery Stream ARN>'
Make sure to replace the placeholders with the actual values:
: Name of the Web ACL.<WebACL Name>
: Specify either "REGIONAL" or "CLOUDFRONT_GLOBAL" depending on the scope.<WebACL Scope>
: The ID of the Web ACL.<WebACL ID>
: The ARN of the resource associated with the Web ACL.<Resource ARN>
: The ARN of the Kinesis Firehose delivery stream.<Delivery Stream ARN>
- 1.Verify the changes: After executing the command, verify if the logging configuration is updated by checking the AWS WAFv2 console or using the CLI command:
aws wafv2 get-web-acl \ --name <WebACL Name> \ --scope <WebACL Scope> \ --id <WebACL ID>
Summary:
Enabling logging for AWS WAFv2 regional and global Web ACLs ensures compliance with the logging requirements of FedRAMP Low Revision 4. By following the provided remediation steps and using either the AWS Management Console or the AWS CLI, organizations can easily configure the logging settings for their Web ACLs, enhancing auditing and monitoring capabilities for their protected AWS resources.