AWS Config Rules: WAF Classic Logging Enabled

WAF_CLASSIC_LOGGING_ENABLED

Eduardo Van Cauteren

Last Update 9 months ago

Description: Checks if logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.


Trigger type: Periodic


AWS Region: Only available in US East (N. Virginia) Region


How to Resolve Manually

This Config Rule checks wether logging is enabled on a global Web ACL within AWS WAF Classic. The rule will be marked as non-compliant if it's found with logging disabled.


To enable logging, head on over to the WAF & Shield service and then click on Switch to AWS WAF Classic from the left side menu.


Click on Web ACLs and in the Filter dropdown menu choose Global (CloudFront) region. From the list, click on the name of the ACL that is not compliant, click on the Logging tab and finally click on the Enable Logging button. Check the following screenshot as reference:

In the next step you will be prompted to select an Amazon Kinesis Data Firehose for sending logs. Select the desired one and save settings. Notice that the fire hose should start with 'aws-waf-logs-'


To know more about creating a Data Firehose, please refer to the official documentation linked here.


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us