By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Firehose?

4 minute read
1

I want to turn on AWS WAF logging and send the logs to Amazon CloudWatch, Amazon Simple Storage Service (Amazon S3), or Amazon Data Firehose.

Short description

First, choose a supported destination for your AWS WAF web access control list (web ACL). You must set up the necessary permissions to turn on AWS WAF logs. AWS WAF supports the following log destinations:

Then, turn on AWS WAF logs for your destination.

Resolution

Prerequisites:

  • Log group names must start with the aws-waf-logs- prefix.
  • Log groups must be in the same AWS account and AWS Region as your web ACL. For global web ACLs that are associated to Amazon CloudFront, the log group must be in the US East (N. Virginia) Region.
  • CloudWatch Logs log groups, and Firehose have quotas that you must adhere to.

Set up permissions for a CloudWatch Logs log group

Either create a new log group, or use an existing log group. Use CloudWatch Logs Insights to analyze your AWS WAF logs.

Use the Region_web-acl-name_log-stream-number format for log streams that you create in log groups.

Configure the required permissions to publish logs to CloudWatch Logs. When your user has the required permissions, CloudWatch automatically adds a resource-based policy to the log group that allows AWS WAF to send logs to it:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite20150319",
      "Effect": "Allow",
      "Principal": {
        "Service": ["delivery.logs.amazonaws.com"]
      },
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": ["arn:aws:logs:us-east-1:0123456789:log-group:my-log-group:log-stream:*"],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": ["0123456789"]
        },
        "ArnLike": {
          "aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
        }
      }
    }
  ]
}

Note: Replace SourceAccount with your account number and SourceARN with your ARN.

If you don't see logs in your log group, then use the DescribeResourcePolicies API to verify that the resource-based policy has the necessary permissions. Use the PutResourcePolicy API to edit your resource-based policy.

For more information about logging permissions, see Turn on logging from AWS services.

Set up permissions for an Amazon S3 bucket

When you send AWS WAF logs to an S3 bucket, you can use Amazon Athena to analyze your AWS WAF logs.

Configure the required permissions to publish logs to an S3 bucket. When your user has the required permissions, AWS automatically adds the following policy to the bucket that allows AWS WAF to deliver logs to it:

{  "Version": "2012-10-17",
  "Id": "AWSLogDeliveryWrite20150319",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::my-bucket",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": ["0123456789"]
        },
        "ArnLike": {
          "aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
        }
      }
    },
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-ID/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceAccount": ["0123456789"]
        },
        "ArnLike": {
          "aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
        }
      }
    }
  ]
}

Note: Replace SourceAccount with your account number and SourceARN with your ARN.

If you don't see the logs in your bucket, then use the GetBucketPolicy API to verify that your bucket policy has the necessary permissions. Use the PutBucketPolicy API to edit your bucket policy.

To send logs to another account or Region, see How do I send AWS WAF logs to an Amazon S3 bucket in a centralized logging account?

Set up permissions for Firehose

Configure a Firehose delivery stream. Keep the Data transformation and Record format conversion options turned off. To configure a destination for the delivery stream, see Configure destination settings. For more information, see Create a Firehose stream.

Note: One AWS WAF log is equivalent to one Firehose record.

Configure the required permissions to publish logs to a Firehose delivery stream. For information about service-linked roles and the iam:CreateServiceLinkedRole permission, see Using service-linked roles for AWS WAF.

Turn on AWS WAF logs

Complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, select the Region where you created your web ACL.
    Note: If your web ACL is set up for CloudFront, then choose Global (CloudFront).
  3. Select your web ACL.
  4. Choose Logging and Metrics, then choose Enable.
  5. For Logging destination, choose your destination.
  6. For Redacted fields, select the fields that you want to omit from the logs.
  7. For Filter logs, add filters for the requests that you want to store.
  8. Choose Save.
Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English

Related videos

Watch Birant’s video to learn more (8:11)
Watch Birant’s video to learn more (8:11)
AWS OFFICIAL
AWS OFFICIALUpdated a year ago
No comments

Relevant content