How do I send AWS WAF logs to an Amazon S3 bucket in a centralized logging account?

Last updated: 2022-06-28

How do I send AWS WAF logs to an Amazon Simple Storage Service (Amazon S3) bucket in a different account or AWS Region?

Short description

To send AWS WAF logs to an Amazon S3 bucket in a centralized logging account, do the following:

  1. Create an S3 bucket in the centralized logging account that has a bucket name starting with aws-waf-logs- in your selected AWS Region.
  2. Create and add a bucket policy to the S3 bucket that allows delivery of logs from the source accounts.
  3. Use the AWS CLI command put-logging-configuration to configure your web access control lists (web ACLs) to send the logs to the S3 bucket in the centralized logging account.

Resolution

Create an S3 bucket in the centralized logging account in your selected Region

  1. Create an S3 bucket in the centralized logging account for your selected AWS Region.
  2. Enter a bucket name starting with the prefix aws-waf-logs-.
    For example: aws-waf-logs-example-bucket

Create and add a bucket policy to the S3 bucket

Add the following S3 bucket policy to your S3 bucket:

Important:

  • Replace the account IDs in aws:SourceAccount with the list of account IDs of your source accounts that will be sending logs to this bucket.
  • Replace the ARNs in aws:SourceArn with the list of ARNs of source resources that will be publishing logs to this bucket, in the format of arn:aws:logs:*:source-account-id:*.
  • Replace the S3 bucket name aws-waf-logs-example-bucket in Resource with the name of your S3 bucket.
{
  "Version": "2012-10-17",
  "Id": "AWSLogDeliveryWrite20150319",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceAccount": [
            "111111111111",
            "222222222222"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:*:111111111111:*",
            "arn:aws:logs:*:222222222222:*"
          ]
        }
      }
    },
    {
      "Sid": "AWSLogDeliveryAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": [
            "111111111111",
            "222222222222"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:*:111111111111:*",
            "arn:aws:logs:*:222222222222:*"
          ]
        }
      }
    }
  ]
}

Configure your web ACLs to send the logs to the desired S3 bucket

You must configure your web ACL for sending the AWS WAF logs to the centralized logging account's S3 bucket. To configure your web ACL, run the following AWS CLI command from the account that owns the web ACL:

Important:

  • Replace the ResourceArn value with your web ACLs ARN.
  • Replace LogDestinationConfigs value with the ARN of the S3 bucket in your centralized logging account.
  • Replace region with the AWS Region where your web ACL is located.
aws wafv2 put-logging-configuration --logging-configuration ResourceArn=arn:aws:wafv2:eu-west-1: 111111111111:regional/webacl/testing/b4a768c9-4895-4f35-9354-3049ab8acc29,LogDestinationConfigs=arn:aws:s3:::aws-waf-logs-example-bucket --region eu-west-1

Note: For web ACLs in the CloudFront(Global) Region, use us-east-1 as the AWS Region in preceding command.

Repeat the preceding put-logging-configuration command for each of your web ACLs.


Amazon Simple Storage Service logging destinations

Did this article help?


Do you need billing or technical support?