Profile Applicability

  • Level 2

Description

Enabling logging for AWS WAF Classic Global WebACLs provides detailed information about web traffic analyzed by the WebACL. Logs include request details, matched rules, and actions taken, which are essential for monitoring, troubleshooting, and auditing web application security.

Rationale

  • Enhanced Monitoring: Provides visibility into web traffic and security events.

  • Improved Troubleshooting: Simplifies debugging by capturing detailed logs.

  • Compliance: Supports operational monitoring and auditing requirements.

Impact

Pros:

  • Enables proactive monitoring and issue resolution.

  • Improves visibility into web application security.

  • Supports compliance with security and governance standards.

Cons:

  • May incur additional costs for storing logs in Amazon Kinesis Data Firehose or other destinations.

  • Requires proper configuration to manage and retain logs effectively.

Default Value

By default, logging is not enabled for AWS WAF Classic Global WebACLs. It must be explicitly configured.

Pre-Requisite

IAM Permissions Required:

  • waf:PutLoggingConfiguration

  • waf:DeleteLoggingConfiguration

  • firehose:ListDeliveryStreams

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF Classic > WebACLs.

  3. Select the WebACL to review its configuration.

  4. Verify if logging is enabled under the Logging and Metrics section.

Using AWS CLI:

  1. Describe the WebACL logging configuration:

    aws waf get-logging-configuration --resource-arn <web-acl-arn>

  2. Check the output for the LoggingConfiguration field. Ensure it is not empty.

Implementation Steps:

Using AWS Console:

  1. Navigate to AWS WAF Classic > WebACLs.

  2. Select the WebACL to update.

  3. Enable logging by associating the WebACL with an Amazon Kinesis Data Firehose delivery stream.

  4. Save the changes.

Using AWS CLI:

  1. Enable logging for the WebACL:

    aws waf put-logging-configuration \

--logging-configuration ResourceArn=<web-acl-arn>,LogDestinationConfigs=<firehose-arn>

  1. Verify the updated configuration:

    aws waf get-logging-configuration --resource-arn <web-acl-arn>

Backout Plan

Using AWS Console:

  1. If enabling logging causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield, select the Global WebACL, and go to the Logging section.

  3. Disable logging by selecting None for the Log destination.

  4. Save the changes and verify that logging is no longer enabled.

Using AWS CLI:

  1. To disable logging, run:

    aws waf delete-logging-configuration --resource-arn <WEB_ACL_ARN>

  2. Verify that logging is disabled by running:

    aws waf get-logging-configuration

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.