Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Logging for Web Access Control Lists

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon WAF Web Access Control Lists (Web ACLs) are configured to capture information about all incoming requests. Amazon WAF is a web application firewall service that lets you monitor web requests that are forwarded to Amazon API Gateway APIs, Amazon CloudFront distributions, or Application Load Balancers in order to help protect them from attacks.

Security

To get detailed information about the web traffic analyzed by your Web Access Control Lists (Web ACLs) you must enable logging. The log entries include the time that Amazon WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched. You can also send these logs to an Amazon Kinesis Firehose delivery stream with a configured storage destination.


Audit

To determine if logging is enabled for Web Access Control Lists (Web ACLs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon WAF console at https://console.aws.amazon.com/wafv2/.

03 In the left navigation panel, under AWS WAF section, choose Web ACLs. A Web ACL is a collection of firewall rules that allow you to take control over the web requests that your AWS resources respond to.

04 Click on the name of the Web ACL that you want to examine, available in the Name column.

05 Select the Logging and metrics tab and check the Logging configuration status available in the Logging section. If the Logging status is set to Disabled, the Logging feature is not enabled for the selected Amazon WAF Web Access Control List (Web ACL).

06 Repeat steps no. 4 and 5 for each Web ACL created within your AWS cloud account.

Using AWS CLI

01 Run list-web-acls command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of each Web ACL created in your AWS cloud account. Use the --scope command parameter to describe the available Web ACLs based on the type of the associated resource (CLOUDFRONT for Amazon CloudFront distributions and REGIONAL for regional resources such as Application Load Balancers, API Gateway APIs, and AWS AppSync APIs):

aws wafv2 list-web-acls
  --scope REGIONAL
  --query 'WebACLs[*].ARN'

02 The command output should return the requested Amazon Resource Names (ARNs):

[
  "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/cc-malicious-viewers-web-acl/abcdabcd-1234-abcd-1234-abcd1234abcd",
  "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/cc-asp-bot-protection-web-acl/abcd1234-abcd-1234-abcd-1234abcd1234"
]

03 Run get-logging-configuration command (OSX/Linux/UNIX) using the ARN of the Web ACL that you want to examine as the identifier parameter and custom query filters to describe the Logging feature configuration for the specified web ACL:

aws wafv2 get-logging-configuration
  --resource-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/cc-malicious-viewers-web-acl/abcdabcd-1234-abcd-1234-abcd1234abcd
  --query 'LoggingConfiguration'

04 The command output should return the configuration metadata for the requested feature:

An error occurred (WAFNonexistentItemException) when calling the GetLoggingConfiguration operation: AWS WAF couldn’t perform the operation because your resource doesn’t exist.

If the get-logging-configuration command output returns a "WAFNonexistentItemException" error message, as shown in the example above, the Logging feature is not enabled for the selected Amazon WAF Web Access Control List (Web ACL).

05 Repeat steps no. 3 and 4 for each Web ACL available within your AWS cloud account.

Remediation / Resolution

To enable logging for your Amazon WAF Web Access Control Lists (Web ACLs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Before you can enable logging for your Web ACLs, you need to create a delivery stream in Amazon Kinesis Firehose whose name starts with "aws-waf-logs-". To get started, navigate to Amazon Kinesis Firehose console at https://console.aws.amazon.com/kinesis/.

03 In the navigation panel, choose Data Firehose, and select Create delivery stream.

04 On the Kinesis Data Firehose - Create delivery stream setup page, perform the following actions:

  1. Enter a unique name for your new delivery stream that starts with aws-waf-logs- and choose Direct PUT or other sources for the Source.
  2. For Destination, choose Amazon S3 and select the name of the destination bucket from the S3 bucket dropdown list.
  3. Configure the rest of the available options based on your application requirements, then choose Create delivery stream to create your new Amazon Kinesis Firehose delivery stream.

05 Navigate to Amazon WAF console at https://console.aws.amazon.com/wafv2/.

06 In the left navigation panel, under AWS WAF section, choose Web ACLs.

07 Click on the name of the Web ACL that you want to reconfigure, available in the Name column.

08 Select the Logging and metrics tab and choose Enable logging within the Logging section.

09 On the Enable logging configuration page, perform the following actions:

  1. Under Amazon Kinesis Data Firehose Delivery Stream, choose Select a delivery stream, and choose the delivery stream created at the previous steps.
  2. (Optional) Under Redacted fields, select the data fields that you want to hide from the logs.
  3. Choose Enable logging to apply the changes. This will enable logging for the selected Amazon WAF Web Access Control List (Web ACL). When you enable logging, Amazon WAF creates a service linked role with the necessary permissions to write logs to the Amazon Kinesis Data Firehose delivery stream.

10 Repeat steps no. 7 – 9 for each Web ACL created within your AWS cloud account.

Using AWS CLI

01 Before you can enable logging for your Web ACLs, you need to create a delivery stream in Amazon Kinesis Firehose whose name starts with "aws-waf-logs-". To create the required Amazon Kinesis Data Firehose delivery stream execute create-delivery-stream command (OSX/Linux/UNIX). You can use Amazon S3 as destination for the logging data, as shown in the example below:

aws firehose create-delivery-stream
  --region us-east-1
  --delivery-stream-name aws-waf-logs-web-acl-logging
  --delivery-stream-type DirectPut
  --extended-s3-destination-configuration '{"RoleARN":"arn:aws:iam::123456789012:role/service-role/KinesisFirehoseServiceRole-aws-waf-logs--us-east-1-1612184128082", "BucketARN": "arn:aws:s3:::cc-eb-environment-logs-bucket"}'

02 The command output should return the ARN of the newly created delivery stream:

{
  "DeliveryStreamARN": "arn:aws:firehose:us-east-1:123456789012:deliverystream/aws-waf-logs-web-acl-logging"
}

03 Run put-logging-configuration command (OSX/Linux/UNIX) to enable logging for the specified Amazon WAF Web Access Control List (Web ACL) using the Kinesis Data Firehose delivery stream created at the previous steps:

aws wafv2 put-logging-configuration
  --region us-east-1
  --logging-configuration ResourceArn=arn:aws:wafv2:us-east-1:123456789012:regional/webacl/cc-malicious-viewers-web-acl/abcdabcd-1234-abcd-1234-abcd1234abcd,LogDestinationConfigs=arn:aws:firehose:us-east-1:123456789012:deliverystream/aws-waf-logs-web-acl-logging

04 The command output should return the logging configuration for the modified Web ACL:

{
  "LoggingConfiguration": {
    "ResourceArn":
    "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/cc-malicious-viewers-web-acl/abcdabcd-1234-abcd-1234-abcd1234abcd",
    "LogDestinationConfigs": [
      "arn:aws:firehose:us-east-1:123456789012:deliverystream/aws-waf-logs-web-acl-logging"
    ],
    "ManagedByFirewallManager": false
  }
}

05 Repeat steps no. 3 and 4 for each Web ACL available within your AWS cloud account.

References

Publication date Feb 6, 2021