Profile Applicability:

  • Level 1

Description:

AWS WAFv2 is a web application firewall that helps protect your applications from common web exploits. Amazon CloudWatch provides monitoring and operational insights into your AWS resources. Enabling CloudWatch metrics for AWS WAFv2 WebACL rules or rule groups allows the collection of detailed performance metrics for monitoring and troubleshooting security events. This SOP ensures that CloudWatch metrics are enabled for the rules or rule groups in your WAFv2 WebACLs to capture and analyze traffic data, request counts, and other related metrics.

Rationale:

  • Security Monitoring: Enabling CloudWatch metrics allows you to track how your AWS WAF is interacting with traffic, helping to detect potential attacks or issues in real time.

  • Operational Insights: By collecting and visualizing metrics, you can optimize WAF configurations, improve response times, and quickly identify patterns in security events.

  • Compliance: Many compliance frameworks require logging and monitoring of security configurations. CloudWatch metrics enable easier tracking for audit purposes.

  • Best Practices: Enabling CloudWatch metrics is a recommended security best practice for monitoring and improving the performance of WAF rules and rules groups.

Impact:

Pros:

  • Enhanced Visibility: Provides metrics that help you understand traffic patterns and evaluate rule effectiveness.

  • Faster Troubleshooting: Quick access to CloudWatch metrics helps identify issues in WAF configuration or rule behavior.

  • Compliance: Meets logging and monitoring requirements for many security compliance frameworks.

Cons:

  • Cost: Enabling CloudWatch metrics incurs additional costs, particularly if high-volume traffic is processed through the WAF.

  • Performance Overhead: Gathering and storing metrics may slightly impact WAF performance, though this is usually minimal.

Default Value:

By default, CloudWatch metrics are not enabled for WAFv2 WebACL rule groups or rules. You must explicitly enable them during WebACL or rule group configuration.

Pre-requisite:

  • AWS IAM Permissions:

    • wafv2:ListWebACLs

    • wafv2:GetWebACL

    • wafv2:UpdateWebACL

  • AWS CLI installed and configured.

  • AWS WAFv2 WebACL created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield under Services.

  3. In the WAFv2 Console, go to WebACLs and select the WebACL you want to check.

  4. Under the Rules tab, review each rule or rule group.

  5. Check if the CloudWatch Metrics field is enabled for each rule or rule group. If metrics are enabled, it will show Enabled.

  6. If metrics are not enabled, follow the Implementation Steps to enable CloudWatch metrics for the rules.

Using AWS CLI:

  1. To describe a WAFv2 WebACL and check for CloudWatch metrics, run:

    aws wafv2 describe-web-acl --name <web-acl-name> --scope REGIONAL --query 'WebACL.Rules[*].OverrideAction.CloudWatchMetricsEnabled'

  2. The output will display whether CloudWatch metrics are enabled for each rule:

    {
      "Rules": [
        {
          "OverrideAction": {
            "CloudWatchMetricsEnabled": true
          }
        }
      ]
    }

  1. If the output shows CloudWatchMetricsEnabled: false, then metrics are not enabled for the rule.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to AWS WAF & Shield.

  2. In the WAFv2 Console, select WebACLs and choose the WebACL you want to modify.

  3. Under the Rules tab, select the rule or rule group that you want to enable CloudWatch metrics for.

  4. Edit the rule or rule group and enable CloudWatch Metrics under the CloudWatch Metrics section.

  5. Save the changes to ensure metrics are enabled.

Using AWS CLI:

  1. To enable CloudWatch metrics for a rule in a WebACL, run the following command:

    aws wafv2 update-web-acl \
    --name <web-acl-name> \
    --scope REGIONAL \
    --id <web-acl-id> \
    --default-action Allow={} \
    --rules "Rules=[{Action={Allow={}},Name=<rule-name>,Priority=1,OverrideAction={Count={}},Statement={SqliMatchStatement={FieldToMatch={Body={}},TextTransformation=NONE}},CloudWatchMetricsEnabled=true}]" \
    --visibility-config "SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=<metric-name>"

  1. Verify that CloudWatch metrics are enabled by describing the WebACL again:

    aws wafv2 describe-web-acl --name <web-acl-name> --scope REGIONAL --query 'WebACL.Rules[*].OverrideAction.CloudWatchMetricsEnabled'

Backout Plan:

Using AWS Console:

  1. If enabling CloudWatch metrics causes issues, navigate to the WebACL in the AWS WAF Console.

  2. In the Rules section, deselect the CloudWatch Metrics Enabled checkbox for the rule.

  3. Save the changes to disable CloudWatch metrics for the rule.

Using AWS CLI:

  1. To disable CloudWatch metrics, use the following command:

    aws wafv2 update-web-acl --name <WEBACL_NAME> --scope <REGIONAL_OR_CLOUDFRONT> --id <WEBACL_ID> --visibility-config '{"SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": false, "MetricName": "<METRIC_NAME>"}' --region <REGION>

  2. Verify that CloudWatch metrics are no longer enabled by describing the WebACL again:

    aws wafv2 get-web-acl --name <WEBACL_NAME> --scope <REGIONAL_OR_CLOUDFRONT> --id <WEBACL_ID> --region

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.