AWS WAF Monitoring

Updated Aug 31, 2023

Configure AWS WAF Log Monitoring using Amazon Simple Storage Service (S3)

Amazon Web Services® (AWS) Web Application Firewall (WAF) logs contain detailed information about the traffic that your web access control list (ACL) analyzes. This information includes the web request timestamp, source, destination, and the action for the matching rule. Arctic Wolf analyzes web ACL logs that result in Block requests to prioritize analyses for high risk web requests.

Notes:

  • By default, Arctic Wolf does not alert on AWS WAF events until you indicate that you are ready to receive alerts. Therefore, you can make frequent changes to tune your WAF rules without receiving alerts. Once you have configured a stable ruleset, contact your Concierge Security® Team (CST) to enable alerts.
  • If you would like to use, or are currently using, Amazon Kinesis Data Firehose or Amazon Cloudwatch as the WAF log destination, contact your CST for further instruction.

Requirements

Before you begin

Steps

  1. Sign in to the AWS Management Console.

  2. Open the Amazon S3 Console.

  3. In the navigation menu, click Buckets.

  4. Navigate to the S3 bucket that will be used as the destination of your WAF logs.

  5. Follow Permissions to publish logs to Amazon S3 in the AWS documentation to add the necessary permissions to publish logs to Amazon S3.

  6. To begin logging, follow the steps To enable logging for a web ACL in the AWS documentation.

    Tip: See Logging and monitoring web ACL traffic and AWS WAF logging destinations in the AWS documentation for more information on web ACL logging.

Next Steps

Using the field values below, follow the steps in Configure AWS S3 Bucket Log Monitoring to forward the WAF logs from your chosen S3 bucket to Arctic Wolf: