AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability compromise security, or consume excessive resources. It provides the facility to control how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting. It can customize rules that filter out specific traffic patterns. It also includes a full-featured API that you can use to automate the creation deployment and maintenance of security rules.

To get detailed information about the traffic that is analyzed by web ACL. Information that is contained in the logs includes the time that AWS WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched.


AWS WAF is a tool that helps you protect web applications by filtering and monitoring HTTP/HTTPS traffic, including from the public internet. Web application firewalls (WAFs)protect applications at the application layer from common web exploits that can affect application availability, compromise security, and/or consume excessive resources.

This policy checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter.

Important: One AWS WAF classic log is equivalent to one Kinesis Data Firehose record. If Kinesis Data Firehose is not configured correctly AWS WAF Classic is not able to record all logs.


WAF logging is a common requirement for security teams to meet their compliance and auditing needs. AWS WAF provides near-real-time logs through Amazon Kinesis Data Firehose. Enable the logging feature, you get detailed information about traffic within your organization.

Default Value:

By default, logging is not enabled when you create a web ACL. It is only available in US East (N. Virginia) Region.


Before enabling logging you create the Amazon Kinesis Data Firehose using a name starting with the prefix “aws-waf-logs-” it created in the US East ( N. Virginia) region


Test Plan:

Step 1: Login into the AWS Management Console and go to the AWS WAF console at 

Step 2: Click on Web ACLs in the left navigation pane

Step 3: Select Web ACL to audit.

Step 4: Go to the Logging and metrics  tab 

Step 5: you can see in the Logging is disabled or enabled

Using AWS CLI:

To retrieve a list of all logging configurations for a region

aws wafv2 get-logging-configuration \
    --resource-arn arn:aws:wafv2:<region>:<account_id>:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222 \
    --region <region>

Implementation Steps:

Step 1: Login into the AWS Management Console and go to AWS WAF console at and switch to AWS WAF Classic

Step 2: Click on Web ACLs in the left navigation pane

Step 3: Choose the web ACL that you want to enable logging for

Step 4: Click on the Logging and metrics tab.

Step 5: Click on Enable logging button

Step 6: As per the prerequisite you have already created Kinesis Data Firehose select it, you must choose a firehose that begins with “aws-waf-logs-.”

Step 7: As per your organization policy you can choose redacted fields and you can add filter logs

and then click on the Save button.

Using AWS CLI:

To create a logging configuration for the web ACL ARN with the specified Kinesis Firehose stream ARN

aws wafv2 put-logging-configuration \
    --logging-configuration \
    LogDestinationConfigs=arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation \
            --region us-west-2

Backout Plan:

Step 1: Login into the AWS Management Console and go to the AWS WAF console at

Step 2: Click on Web ACLs in the left navigation pane

Step 3: Choose the web ACL that you want to disable logging for.

Step 4: On the Logging and metrics tab, choose Disable logging.

Using AWS CLI:

To disable logging for a web ACL

aws wafv2 delete-logging-configuration \
    --resource-arn arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222