AWS WAF Monitoring

Updated Aug 31, 2023

Configure AWS WAF Log Monitoring using Amazon Simple Storage Service (S3)

Configure AWS WAF Log Monitoring using Amazon Simple Storage Service (S3)

Amazon Web Services® (AWS) Web Application Firewall (WAF) logs contain detailed information about the traffic that your web access control list (ACL) analyzes. This information includes the web request timestamp, source, destination, and the action for the matching rule. Arctic Wolf analyzes web ACL logs that result in Block requests to prioritize analyses for high risk web requests.

Notes:

By default, Arctic Wolf does not alert on AWS WAF events until you indicate that you are ready to receive alerts. Therefore, you can make frequent changes to tune your WAF rules without receiving alerts. Once you have configured a stable ruleset, contact your Concierge Security® Team (CST) to enable alerts.
If you would like to use, or are currently using, Amazon Kinesis Data Firehose or Amazon Cloudwatch as the WAF log destination, contact your CST for further instruction.

Requirements

An AWS WAF subscription
An active web ACL

Before you begin

Complete these procedures:
- Provide AWS Credentials to Arctic Wolf
- Configure AWS CloudTrail Event Monitoring
Choose an existing S3 bucket as the destination of your logs, or create a new one following the steps in the AWS documentation for Create a bucket using the S3 console.
Notes:
- The name of your bucket must start with aws-waf-logs-.
- Web Access Control Lists (ACLs) are region-specific, but you can send logs to an S3 bucket outside of what is listed in your web ACL.
- If you want Arctic Wolf to monitor AWS WAF in multiple regions, we recommend that you send all web ACL logs to a single Simple Storage Service (S3) bucket. To simplify this configuration, choose an S3 bucket that already stores log from other AWS services, such as CloudTrail or GuardDuty.

Steps

Sign in to the AWS Management Console.
Open the Amazon S3 Console.
In the navigation menu, click Buckets.
Navigate to the S3 bucket that will be used as the destination of your WAF logs.
Follow Permissions to publish logs to Amazon S3 in the AWS documentation to add the necessary permissions to publish logs to Amazon S3.
To begin logging, follow the steps To enable logging for a web ACL in the AWS documentation.

Tip: See Logging and monitoring web ACL traffic and AWS WAF logging destinations in the AWS documentation for more information on web ACL logging.

Next Steps

Using the field values below, follow the steps in Configure AWS S3 Bucket Log Monitoring to forward the WAF logs from your chosen S3 bucket to Arctic Wolf:

bucketName — The S3 bucket where the logs are delivered.
prefixPath — AWN/WAF/<12-digit-AWS-Account-ID>/, where <12-digit-AWS-Account-ID> is your 12-digit AWS account ID number.