36

Network Config Rules

Last Update a month ago

AWS Config Rule: WAF V2 Logging Enabled AWS Config Rule: WAF Regional Web ACL Not Empty AWS Config Rule: VPC Subnet Auto Assign Public IP Disabled AWS Config Rule: ACM Certificate Expiration Check AWS Config Rule: ALB HTTP To HTTPS Redirection Check

AWS Config Rule: WAF V2 Logging Enabled

WAFV2_LOGGING_ENABLED

Luna Ricci

Last Update 9 months ago

Description: Checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter.


Trigger type: Periodic


AWS Region: All supported AWS regions except China (Beijing), China (Ningxia), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Osaka), Europe (Milan), Africa (Cape Town) Region

How to Resolve Manually

To resolve this manually, head on over to your AWS Console and navigate to your AWS WAF Console, then select Web ACLs. 


Create your Web Access Control List (ACL) which is a collection of firewall rules that allow you to manage the web requests that your AWS resources respond to.

Above we have created a simple Web ACL. For this AWS Config Rule however, we can either tackle this with Amazon Kinesis Firehose, or CloudWatch Logs Group.


On the Kinesis Data Firehose, create a delivery stream which is setup to perform the following actions;


  • Choose Direct PUT or other sources for the source of your delivery stream
  • For the chosen destination, choose Amazon S3 and select the name of your destination S3 Bucket from the list.
  • Choose create delivery stream to create your new Amazon Kinesis Firehose delivery stream


Once this has been completed, head on over to your Web ACL's covered in the first section of this article.

We are interested in the Logging and Metrics portion of the Web ACL.


We need to head over here, and enable Logging. In the next portion of the configuration, we will either need to select Kinesis Data Firehose Stream and choose the correct delivery stream created above, or we can choose CloudWatch Logs log group - which is a much simpler setup.


Note: Your CloudWatch Logs Group must begin with the prefix aws-waf-logs-

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us