AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
WAF Logging Should Be Enabled
More Info:
WAF logging should be enabled
Risk Level
Medium
Address
Security, Reliability, Operational Maturity
Compliance Standards
CBP,GDPR,HIPAA,ISO27001,SEBI,RBI_MD_ITF,RBI_UCB
Triage and Remediation
Remediation
To remediate the misconfiguration of WAF Logging not being enabled in AWS CloudWatch using the AWS Management Console, follow these steps:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
-
Navigate to AWS WAF Console: Click on the “Services” dropdown menu at the top of the page, search for “WAF & Shield” under the Security, Identity, & Compliance category, and click on it.
-
Select the Web ACL: In the left-hand navigation pane, click on “Web ACLs”.
-
Choose the Web ACL: Select the Web ACL for which you want to enable logging by clicking on its name.
-
Enable Logging: In the Web ACL details page, click on the “Logging” tab.
-
Enable Logging: Click on the “Edit” button to modify the logging configuration.
-
Enable Logging: Toggle the “Enable Logging” option to enable logging for the Web ACL.
-
Choose Logging Destination: Select the CloudWatch log group where you want to store the logs. If you don’t have an existing log group, you can create a new one by clicking on the “Create a new CloudWatch log group” button.
-
Save Changes: Click on the “Update” button to save the changes and enable logging for the Web ACL.
-
Verify Logging: To verify that logging is enabled, you can check the CloudWatch logs in the specified log group to ensure that the WAF logs are being generated and stored correctly.
By following these steps, you will successfully remediate the misconfiguration of WAF Logging not being enabled in AWS CloudWatch using the AWS Management Console.
To remediate the misconfiguration of WAF logging not being enabled in AWS CloudWatch using AWS CLI, follow these steps:
-
Enable logging for your Web Application Firewall (WAF) in the AWS Management Console:
- Navigate to the AWS WAF console.
- Select the WebACL for which you want to enable logging.
- Click on the “Logging and Metrics” tab.
- Click on “Edit Logging Configuration” and enable logging.
- Choose the Amazon Kinesis Data Firehose delivery stream or Amazon S3 bucket where you want to store the logs.
-
Use AWS CLI to enable logging for your WAF:
- Open your terminal or command prompt.
- Run the following AWS CLI command to associate a logging configuration with your WebACL:
Replace
aws waf-regional update-web-acl --web-acl-id <web-acl-id> --updates Action=INSERT,ActivatedRule={Priority=1,RuleId=AWSManagedRulesCommonRuleSetRuleID},LoggingConfiguration={LogDestinationConfigs=[<log-destination-arn>],RedactedFields=[{Type=URI,Data=FULL},{Type=QUERY_STRING,Data=ALL},{Type=HEADER,Data=ALL},{Type=SINGLE_QUERY_ARG,Data=ALL},{Type=ALL_QUERY_ARGS,Data=ALL}]}<web-acl-id>with the ID of your WebACL and<log-destination-arn>with the ARN of the Amazon Kinesis Data Firehose delivery stream or Amazon S3 bucket where you want to store the logs.
-
Verify that logging is enabled:
- Run the following AWS CLI command to describe the logging configuration for your WebACL:
aws waf-regional get-web-acl --web-acl-id <web-acl-id> - Check the output to ensure that the logging configuration is correctly set up and enabled.
- Run the following AWS CLI command to describe the logging configuration for your WebACL:
By following these steps, you can remediate the misconfiguration of WAF logging not being enabled in AWS CloudWatch using AWS CLI.
To enable WAF logging in AWS CloudWatch using Python, you can use the AWS SDK for Python (Boto3). Follow these steps to remediate the misconfiguration:
- Install Boto3:
pip install boto3
- Create a Python script with the following code:
import boto3
# Initialize the AWS service clients
waf_client = boto3.client('waf')
cloudwatch_client = boto3.client('cloudwatch')
# Get the WebACL Id
web_acl_id = 'YOUR_WEB_ACL_ID'
# Enable logging for the WebACL
response = waf_client.update_web_acl(
WebACLId=web_acl_id,
LoggingConfiguration={
'ResourceArn': 'arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',
'LogDestinationConfigs': [
'arn:aws:firehose:REGION:ACCOUNT_ID:deliverystream/FIREHOSE_NAME'
],
'RedactedFields': []
}
)
# Create a CloudWatch log group for the WAF logs
response = cloudwatch_client.create_log_group(
logGroupName='LOG_GROUP_NAME'
)
print("WAF logging has been enabled successfully.")
- Replace the following placeholders in the script:
YOUR_WEB_ACL_ID: Replace this with the ID of the WebACL for which you want to enable logging.REGION: Replace this with the AWS region where the logs will be stored.ACCOUNT_ID: Replace this with your AWS account ID.LOG_GROUP_NAME: Replace this with the name of the CloudWatch log group where WAF logs will be stored.FIREHOSE_NAME: Replace this with the name of the Kinesis Data Firehose delivery stream where logs will be delivered.
- Run the Python script to enable WAF logging in AWS CloudWatch:
python enable_waf_logging.py
After running this script, WAF logging will be enabled for the specified WebACL, and the logs will be stored in the CloudWatch log group you specified.