How do I send AWS WAF logs to an Amazon S3 bucket in a centralized logging account?

3 minute read

I want to send AWS WAF logs to an Amazon Simple Storage Service (Amazon S3) bucket that's in a different AWS account or AWS Region.

Resolution

To send AWS WAF logs to an Amazon S3 bucket that's in a centralized logging account, complete the following steps.

Create an S3 bucket in the centralized logging account in the selected Region

Complete the following steps:

Create the Amazon S3 bucket.
Enter a bucket name that starts with the aws-waf-logs- prefix.
For example: aws-waf-logs-example-bucket.

Add a bucket policy to the Amazon S3 bucket

Add the following Amazon S3 bucket policy to your Amazon S3 bucket:

{  "Version": "2012-10-17",
  "Id": "AWSLogDeliveryWrite20150319",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceAccount": [
            "111111111111",
            "222222222222"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:region:111111111111:*",
            "arn:aws:logs:region:222222222222:*"
          ]
        }
      }
    },
    {
      "Sid": "AWSLogDeliveryAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": [
            "111111111111",
            "222222222222"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:region:111111111111:*",
            "arn:aws:logs:region:222222222222:*"
          ]
        }
      }
    }
  ]
}

In the preceding policy, replace the following values:

The account IDs in aws:SourceAccount with the IDs of the source accounts that you want to send logs.
The Amazon Resource Names (ARNs) in aws:SourceArn with the ARNs of the source resources that you want to publish logs. Use the following format: arn:aws:logs:region:source-account-id:*
aws-waf-logs-example-bucket with the name of your S3 bucket.

Configure your web ACLs to send the logs to the Amazon S3 bucket

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

In the following example, the Amazon S3 bucket is in a different account or Region from the AWS WAF. To configure the web access control list (web ACL), you must run the put-logging-configuration command from the account that owns the web ACL:

aws wafv2 put-logging-configuration --logging-configuration ResourceArn=arn:aws:wafv2:us-west-1:111111111111:regional/webacl/testing/b4a768c9-4895-4f35-9354-3049ab8acc29,LogDestinationConfigs=arn:aws:s3:::aws-waf-logs-example-bucket --region us-west-1

In the preceding command, replace the following values:

The arn for ResourceArn with your web ACL's ARN.
The arn for LogDestinationConfigs with the ARN of the S3 bucket that's in your centralized logging account.
us-west-1 with the Region where your web ACL is located. For web ACLs in the Amazon CloudFront Region (Global), replace us-west-1 with us-east-1.

Repeat the preceding step for each web ACL in your AWS WAF.

Encrypt your Amazon S3 bucket

AWS WAF supports encryption with Amazon S3 buckets for server-side encryption keys in Amazon S3 and AWS Key Management Service (AWS KMS). AWS WAF doesn't support encryption for AWS managed keys.

If you use both of the following configurations, then you must give AWS WAF permission to use your KMS key:

Your logging destination uses server-side encryption keys that are stored in AWS KMS.
You use a customer managed key.

To allow AWS WAF to log in to your Amazon S3 bucket, add the following key policy to your KMS key:

{
    "Sid": "Allow AWS WAF to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": [
            "delivery.logs.amazonaws.com"
        ]
    },
    "Action": "kms:GenerateDataKey*",
    "Resource": "*"
}

Related information

Permissions required to publish logs to Amazon S3

Topics

Security, Identity, & Compliance

Relevant content

Centralized logging - one region, perhaps one account (S3/VPC)
AWS-User-8416516
asked 2 years ago
Capturing Application logs to Central log account CloudWatch using CWAgent
rePost-User-6877555
asked 2 years ago
Multiple Cloudtrail logs into centralized Cloudwatch log account
rePost-User-4136916
asked a year ago
AWS Cloudwatch - centralized logs
Orlando
asked 8 months ago
AWS VPC Flow Logs - centralized
Orlando
asked 8 months ago
How do I analyze AWS WAF logs in Amazon Athena?
AWS OFFICIALUpdated 5 months ago
How do I configure a central Amazon S3 bucket for Session Manager logging from multiple accounts?
AWS OFFICIALUpdated a year ago
How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Kinesis Data Firehose?
AWS OFFICIALUpdated 2 years ago
How do I turn on log filtering in AWS WAF?
AWS OFFICIALUpdated 2 years ago
How can I send AWS WAF log to both CloudWatch logs and S3?
EXPERT
Lei Pei
published a day ago