Description:
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability compromise security, or consume excessive resources. It provides the facility to control how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting. It can customize rules that filter out specific traffic patterns. It also includes a full-featured API that you can use to automate the creation deployment and maintenance of security rules.
To get detailed information about the traffic that is analyzed by web ACL. Information that is contained in the logs includes the time that AWS WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched.
Rationale:
AWS WAF is a tool that helps you protect web applications by filtering and monitoring HTTP/HTTPS traffic, including from the public internet. Web application firewalls (WAFs)protect applications at the application layer from common web exploits that can affect application availability, compromise security, and/or consume excessive resources.
This policy checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL if it does not have logging enabled.
Important: One AWS WAF classic log is equivalent to one Kinesis Data Firehose record. If Kinesis Data Firehose is not configured correctly AWS WAF Classic is not able to record all logs.
Impact:
Enable the logging feature, you get detailed information about traffic within your organization. WAF logging is a common requirement for security teams to meet their compliance and auditing needs. AWS WAF provides near-real-time logs through Amazon.
Default Value:
By default, logging is not enabled when you create a web ACL. It is only available in US East (N. Virginia) Region.
Pre-Requisite:
Before enable logging you create the Amazon Kinesis Data Firehose using a name starting with the prefix “aws-waf-logs-” it created in the US East ( N. Virginia) region.
Remediation:
Test Plan:
Step 1: Login into the AWS Management Console
Step 2: Go to AWS WAF console at https://console.aws.amazon.com/wafv2 and switch to AWS WAF Classic
Step 3: Click on Web ACLs in the left navigation pane
Step 4: Select the Web ACL you want to examine
Step 5: Go to the Logging tab
Step 6: you can see in the Logging is disable or enable
Using AWS CLI:
To retrieve a list of all logging configurations for a region
aws waf list-logging-configurations \
--scope REGIONAL \
--region <give_region>
Implementation Steps:
Step 1: Login into the AWS Management Console
Step 2: Go to AWS WAF console at https://console.aws.amazon.com/wafv2 and switch to AWS WAF Classic
Step 3: Click on Web ACLs in the left navigation pane
Step 4: Choose the web ACL that you want to enable logging
Step 5: Go to the Logging tab.
Step 6: Click on Enable logging button
Step 7:As per prerequisite you already create Kinesis Data Firehose select it, you must choose a firehose that begins with “aws-waf-logs-.”
Step 8: As per your organization policy you can choose redacted fields and you can add filter logs
and then click on the Create button.
Using AWS CLI:
To create a logging configuration for the web ACL ARN with the specified Kinesis Firehose stream ARN
aws waf put-logging-configuration \
--logging-configuration \
ResourceArn=arn:aws:waf::123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3,\
LogDestinationConfigs=arn:aws:firehose:us-east-1:123456789012:deliverystream/aws-waf-logs-firehose-stream,\
RedactedFields=[]
Backout Plan:
Step 1: Login into the AWS Management Console and go to AWS WAF console at https://console.aws.amazon.com/wafv2
Step 2: Click on Web ACLs in the left navigation pane
Step 3: Choose the web ACL that you want to disable logging for.
Step 4: On the Logging tab, choose Disable logging.
Using AWS CLI:
To disable logging for a web ACL
aws waf delete-logging-configuration \
--resource-arn \
arn:aws:waf:<rgion>:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222