How do I configure AWS WAF comprehensive logging to store logs in Amazon S3?

Last updated: 2019-11-19

I've set up AWS WAF, and now I need to configure comprehensive logging to store logs in Amazon Simple Storage Service (Amazon S3). How can I do this?

Short Description

You can enable comprehensive logging on a web access control list (web ACL) using an Amazon Kinesis Data Firehose stream destined to an Amazon S3 bucket in the same Region. To do so, you must use three AWS services:

  • AWS WAF to create the logs
  • Kinesis Data Firehose to receive the logs
  • Amazon S3 to store the logs

Note: AWS WAF, Kinesis Data Firehose, and Amazon S3 must be running in the same Region.

Resolution

Create a Kinesis Data Firehose

  1. Open the Kinesis console.
  2. In the navigation bar, choose the Region where your web ACL is stored.
  3. In the navigation pane, choose Data Firehose.
  4. Choose Create Delivery Stream.
  5. For Delivery stream name, enter a name for your delivery stream. The name must start with aws-waf-logs- and end with the suffix of your choice. For example, aws-waf-logs-demo.
  6. For Source, keep the default Direct PUT or other sources selected. Then, choose Next.
  7. Keep the default options for the following settings:
    Record transformation (Disabled)
    Record format conversion (Disabled)
  8. Choose Next.
  9. For Destination, choose Amazon S3.
  10. In the S3 destination section, choose Create new.
  11. For S3 bucket name, enter a name. For uniformity, you can use the same name that you used for the delivery stream you created in step 4.
  12. Choose the Region where the AWS WAF logs will be stored.
  13. Choose Create S3 bucket.
  14. (Optional) Configure an S3 prefix and an Error prefix.
    Note: Custom prefixes are helpful when your bucket is shared with other logs.
  15. Choose Next.
  16. You can keep the default options for the following settings:
    Buffer size (5)
    Buffer interval (300)
    S3 compression (Disabled)
    S3 encryption (Disabled)
  17. (Optional) Configure tags, if needed.
  18. For IAM role, choose Create new or choose.
  19. For Role Name, enter a descriptive name. For example, firehose_to_s3-waflogs-demo.
  20. Choose Allow, and then choose Next.
  21. Review the configuration, and then choose Create delivery stream.

Associate AWS WAF with the Kinesis Data Firehose

  1. Open the AWS WAF console.
  2. In the navigation pane, choose Web ACLs.
  3. For Filter, choose the Region where your web ACL was created.
  4. Choose the relevant web ACL from the resulting list, and then choose Logging.
  5. Choose Enable Logging.
  6. For Amazon Kinesis Data Firehose, choose the delivery stream that you created above.
  7. (Optional) Configure any fields that should be redacted from the logs.
  8. Choose Create. All AWS WAF logs are stored in the Amazon S3 bucket for analysis.

Note: One AWS WAF log is equivalent to one Kinesis Data Firehose record. If you typically receive 10,000 requests per second, set a 10,000 record per second limit in Kinesis Data Firehose to enable full logging. Otherwise, AWS WAF doesn't record all logs. For more information, see Amazon Kinesis Data Firehose Limits.