AWS WAF Monitoring
Updated Aug 31, 2023Configure AWS WAF Log Monitoring using Amazon Simple Storage Service (S3)
Amazon Web Services® (AWS) Web Application Firewall (WAF) logs contain detailed information about the traffic that your web access control list (ACL) analyzes. This information includes the web request timestamp, source, destination, and the action for the matching rule. Arctic Wolf analyzes web ACL logs that result in Block requests to prioritize analyses for high risk web requests.
Notes:
- By default, Arctic Wolf does not alert on AWS WAF events until you indicate that you are ready to receive alerts. Therefore, you can make frequent changes to tune your WAF rules without receiving alerts. Once you have configured a stable ruleset, contact your Concierge Security® Team (CST) to enable alerts.
- If you would like to use, or are currently using, Amazon Kinesis Data Firehose or Amazon Cloudwatch as the WAF log destination, contact your CST for further instruction.
Requirements
- An AWS WAF subscription
- An active web ACL
Before you begin
-
Complete these procedures:
-
Choose an existing S3 bucket as the destination of your logs, or create a new one following the steps in the AWS documentation for Create a bucket using the S3 console.
Notes:
-
The name of your bucket must start with
aws-waf-logs-
. -
Web Access Control Lists (ACLs) are region-specific, but you can send logs to an S3 bucket outside of what is listed in your web ACL.
-
If you want Arctic Wolf to monitor AWS WAF in multiple regions, we recommend that you send all web ACL logs to a single Simple Storage Service (S3) bucket. To simplify this configuration, choose an S3 bucket that already stores log from other AWS services, such as CloudTrail or GuardDuty.
-
Steps
-
Sign in to the AWS Management Console.
-
Open the Amazon S3 Console.
-
In the navigation menu, click Buckets.
-
Navigate to the S3 bucket that will be used as the destination of your WAF logs.
-
Follow Permissions to publish logs to Amazon S3 in the AWS documentation to add the necessary permissions to publish logs to Amazon S3.
-
To begin logging, follow the steps To enable logging for a web ACL in the AWS documentation.
Tip: See Logging and monitoring web ACL traffic and AWS WAF logging destinations in the AWS documentation for more information on web ACL logging.
Next Steps
Using the field values below, follow the steps in Configure AWS S3 Bucket Log Monitoring to forward the WAF logs from your chosen S3 bucket to Arctic Wolf:
-
bucketName — The S3 bucket where the logs are delivered.
-
prefixPath —
AWN/WAF/<12-digit-AWS-Account-ID>/
, where<12-digit-AWS-Account-ID>
is your 12-digit AWS account ID number.