Profile Applicability:

  • Level 1

Description:

AWS WAFv2 (Web Application Firewall) provides robust protection for your web applications by filtering traffic. Enabling logging for WebACLs allows you to capture detailed information about the requests that are evaluated and blocked by your WAF rules. This log data can be invaluable for monitoring, troubleshooting, and improving security posture. This SOP ensures that logging is enabled for your AWS WAFv2 WebACLs to provide visibility into the web traffic patterns and the actions taken by the WAF.

Rationale:

  • Security: Enabling logging ensures you have visibility into the traffic that your WAF is blocking or allowing. This helps you identify potential threats or suspicious activity.

  • Auditability: Logs from WAF enable you to audit requests and analyze security events, helping in incident response and ensuring compliance with industry regulations.

  • Troubleshooting: Logs help diagnose issues with WAF rules, understand traffic patterns, and improve the accuracy of WAF rule configurations.

  • Best Practices: Enabling logging is considered a best practice for maintaining visibility into security operations and ensures that all WAF actions are recorded for auditing purposes.

Impact:

Pros:

  • Improved Security: Logs provide detailed visibility into the security posture of your web application, enabling better threat detection and response.

  • Compliance: Meets security and audit compliance requirements for monitoring and logging web application traffic.

  • Operational Insight: Helps with troubleshooting WAF rules and understanding the traffic being filtered.

Cons:

  • Cost: Enabling logging increases the cost for Amazon S3 storage and CloudWatch Logs due to the volume of log data generated, particularly with high-traffic web applications.

  • Storage Management: Large log volumes can result in management overhead for data retention and analysis, requiring efficient log storage practices.

Default Value:

By default, WAFv2 WebACL logging is not enabled. Logging must be explicitly configured during or after the creation of a WebACL to capture request logs.

Pre-requisite:

  • AWS IAM Permissions:

    • wafv2:DescribeWebACL

    • wafv2:GetWebACLLoggingConfiguration

    • wafv2:PutWebACLLoggingConfiguration

  • AWS CLI installed and configured.

  • Amazon S3 bucket for storing logs or CloudWatch Logs for logging enabled.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield under Security, Identity, & Compliance.

  3. In the WAFv2 Console, go to WebACLs.

  4. Select the WebACL you want to check.

  5. Under the Logging tab, verify if logging is enabled.

    • If logging is enabled, it will show the S3 bucket or CloudWatch Logs group where logs are stored.

    • If not enabled, proceed with the Implementation Steps to enable logging.

Using AWS CLI:

  1. To check if logging is enabled for the WebACL, run the following command:

    aws wafv2 get-web-acl-logging-configuration --resource-arn <web-acl-arn>

  2. If logging is enabled, you will see a configuration with the destination for log storage (either S3 or CloudWatch Logs):

    {
  "LogDestinationConfigs": [
    "arn:aws:s3:::<bucket-name>"
  ]
}

  1. If no log destination is listed, logging is not enabled.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to AWS WAF & Shield.

  2. In the WAFv2 Console, go to WebACLs and select the WebACL you want to configure.

  3. Under the Logging section, click Edit.

  4. Enable logging and choose the destination:

    • CloudWatch Logs: Select a CloudWatch Logs group for storing logs.

    • Amazon S3: Specify an S3 bucket to store logs.

  5. Save the changes to enable logging for your WebACL.

Using AWS CLI:

  1. To enable WAFv2 WebACL logging to CloudWatch Logs or S3, run the following command:

    aws wafv2 put-web-acl-logging-configuration --resource-arn <web-acl-arn> --log-destination-configs arn:aws:logs:<region>:<account-id>:log-group:<log-group-name>

  2. Alternatively, to enable S3 logging, use:

    aws wafv2 put-web-acl-logging-configuration --resource-arn <web-acl-arn> --log-destination-configs arn:aws:s3:::<bucket-name>

  3. To verify that logging has been enabled, run the following command:

    aws wafv2 get-web-acl-logging-configuration --resource-arn <web-acl-arn>

Backout Plan:

Using AWS Console:

  1. If logging causes issues or unwanted log generation, sign in to the AWS Management Console.

  2. Navigate to AWS WAFv2 and select the WebACL.

  3. In the Logging section, click Disable Logging.

  4. Save the changes to disable logging.

Using AWS CLI:

  1. To disable logging for a WAFv2 WebACL, run the following command:

    aws wafv2 update-web-acl --name <WEBACL_NAME> --scope <REGIONAL_OR_CLOUDFRONT> --id <WEBACL_ID> --logging-configuration '{}'

  2. Verify that logging has been disabled by describing the WebACL again:

    aws wafv2 get-web-acl --name <WEBACL_NAME> --scope <REGIONAL_OR_CLOUDFRONT> --id <WEBACL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.