Stateless logging for AWS Network Firewall

First let's review what's the difference between stateless vs stateful rules : Stateful firewall rules are capable of monitoring and detecting states of all traffic on a network in a sense of traffic flow while Stateless firewall rules, only focus on individual packets, using preset rules to filter traffic. For monitoring: You can monitor how the service is being used and you can monitor network traffic and traffic filtering done by the stateful rule groups in your Network Firewall firewalls. Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy.

For Cloud NGFW for AWS, you have three choices of destination for your Cloud NGFW logs. These destinations all reside outside of the Cloud NGFW service but within your AWS account—S3 bucket, Cloudwatch log group, or Kinesis data firehose. Each log file is generated as a JSON file.

AWS Network Firewall is a managed service but you'll need to manage your NGFW and its scalability yourself so these are two different firewalls with some differences. Based on your use case and what you're looking for in a Network Firewall, you can decide which one is best suited for your use case. Both are secure.