How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Kinesis Data Firehose?

Last updated: 2022-07-22

I want to turn on logging for AWS WAF and send the logs to Amazon CloudWatch, Amazon Simple Storage Service (Amazon S3), or Amazon Kinesis Data Firehose. How do I turn on AWS WAF logs, and what are the required permissions?

Short description

First, choose a supported destination for your AWS WAF web ACL. AWS WAF supports the following log destinations:

Be sure you have the necessary resource permissions to turn on AWS WAF logs. Then, turn on AWS WAF logs using your chosen destination.

Resolution

The following destinations are supported for storing your AWS WAF logs:

Amazon CloudWatch Logs

To send the logs to a CloudWatch Logs log group, choose CloudWatch Logs log group as the destination when turning on AWS WAF logs.

Either create a new log group or use an existing log group. When turned on, AWS WAF logs are sent to log groups in log streams. You can analyze these logs using Logs Insights. For more information, see What are my options to analyze AWS WAF logs stored in CloudWatch or Amazon S3?

Consider the following when using CloudWatch logs:

  • Log group names must start with the prefix aws-waf-logs-.
  • Log groups must be in the same AWS account and Region as your web ACL. For Global web ACLs associated to CloudFront, the log group must be in US East (N. Virginia) Region.
  • Log groups have quotas for log groups when storing logs.
  • Log streams created in log groups have the following format:
Region_web-acl-name_log-stream-number

Necessary permissions

The account turning on the AWS WAF logs using CloudWatch Logs log group, must have the following permissions:

  • wafv2:PutLoggingConfiguration
  • wafv2:DeleteLoggingConfiguration
  • logs:CreateLogDelivery
  • logs:DeleteLogDelivery
  • logs:PutResourcePolicy
  • logs:DescribeResourcePolicies
  • logs:DescribeLogGroups

These permissions are necessary to change the web ACL logging configuration, configure log delivery, and to retrieve and edit permissions for a log group. These permissions must be attached to the user that is managing AWS WAF.

When these permissions are assigned, AWS automatically adds the following policy in the resource-based policies of CloudWatch Logs. This allows delivery services to push logs to a CloudWatch Logs log group.
Note: The account number and Amazon resource name (ARN) will be specific to your account for the following policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite20150319",
      "Effect": "Allow",
      "Principal": {
        "Service": ["delivery.logs.amazonaws.com"]
      },
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": ["arn:aws:logs:us-east-1:0123456789:log-group:my-log-group:log-stream:*"],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": ["0123456789"]
        },
        "ArnLike": {
          "aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
        }
      }
    }
  ]
}

If you don't see logs in your log group, check if the preceding necessary permissions are added to your log group's resource based policy using DescribeResourcePolicies API. You can edit the resource based policy for logs services using PutResourcePolicy.

For more information on log group permissions, see Enabling logging from certain AWS services.

Amazon S3 bucket

To send the logs to an Amazon S3 bucket, choose S3 bucket as the destination when turning on AWS WAF logs.

Web ACLs publish the log files to an S3 bucket at five minute intervals. The maximum file size is 75 megabytes (MB). If the file size exceeds the maximum, then a new file is logged. When logs are turned on, you can analyze them using Amazon Athena. For more information, see Querying AWS WAF logs.

S3 bucket names for AWS WAF logging must start with the prefix aws-waf-logs-.

Necessary permissions

The account turning on the AWS WAF logs using an S3 bucket, must have the following permissions:

  • wafv2:PutLoggingConfiguration
  • wafv2:DeleteLoggingConfiguration
  • logs:CreateLogDelivery
  • logs:DeleteLogDelivery
  • s3:PutBucketPolicy
  • s3:GetBucketPolicy

These permissions are necessary to turn on AWS WAF logging and to configure log delivery for an S3 bucket. They are also needed to retrieve and edit the bucket policy to allow AWS WAF log delivery to an S3 bucket.

When these permissions are assigned, the following example policy is automatically added in the Bucket policy to allow delivery of logs to the S3 bucket:
Note: The account number and Amazon Resource Name (ARN) are specific to your account for the following policy.

{
  "Version": "2012-10-17",
  "Id": "AWSLogDeliveryWrite20150319",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::my-bucket",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": [
            "0123456789"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:us-east-1:0123456789:*"
          ]
        }
      }
    },
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-ID/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceAccount": [
            "0123456789"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:us-east-1:0123456789:*"
          ]
        }
      }
    }
  ]
}

If you don't see the AWS WAF logs in the S3 bucket, then check if the necessary permissions are present in the bucket policy using GetBucketPolicy API. You can edit the bucket policy using PutBucketPolicy API.

To send logs to another AWS account or Region, see How do I send AWS WAF logs to an Amazon S3 bucket in a centralized logging account?

Amazon Kinesis Data Firehose

To send the AWS WAF logs to Kinesis Data Firehose stream, you must create a delivery stream. The delivery stream has different destinations to store logs.

Consider the following when using Kinesis Data Firehose:

  • The Kinesis Data Firehose name must start with the prefix aws-waf-logs-.
  • The Kinesis Data Firehose delivery stream must be in the same AWS account and Region as your web ACL. For Global web ACLs associated to CloudFront, the Kinesis Data Firehose must be in the US East (N. Virginia) Region.
  • One AWS WAF log is equivalent to one Kinesis Data Firehose record and is subject to Amazon Kinesis Data Firehose Quotas.
    Important: If you receive more than 10,000 requests per second, your data is throttled and not all requests are logged. To prevent throttling, you must request an increase in the quota for the Kinesis Data Firehose.

Necessary permissions

The account turning on the AWS WAF logs using the Kinesis Data Firehose destination must have the following permissions:

  • wafv2:PutLoggingConfiguration
  • wafv2:DeleteLoggingConfiguration
  • iam:CreateServiceLinkedRole
  • firehose:ListDeliveryStreams

For information about service-linked roles and the iam:CreateServiceLinkedRole permission, see Using service-linked roles for AWS WAF.

To create a Kinesis Data Firehose delivery stream, follow these steps:

  1. Open the Amazon Kinesis console.
  2. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  3. In the navigation pane, choose Delivery streams.
  4. Choose Create delivery stream.
  5. For Source, choose Direct PUT.
  6. For Destination, choose from the available destinations for Kinesis Firehose.
  7. For Delivery stream name, enter a name for your delivery stream starting with aws-waf-logs-.
  8. Confirm Data transformation and Record format conversion are both Disabled.
  9. Enter the Destination settings based on your destination method chosen in step 6.
  10. (Optional) For Buffer hints, compression and encryption, configure to your specifications or keep the default settings.
  11. (Optional) For Advanced settings, configure to your specifications or keep the default settings.
  12. Review the settings for the delivery stream. If the settings match your specifications, choose Create delivery stream.

Turn on AWS WAF logs

After you decide the destination where you want to send your AWS WAF logs, turn on AWS WAF logging by doing the following:

  1. Open the AWS WAF console.
  2. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  3. Select your web ACL.
  4. Choose Logging and Metrics, then choose Enable.
  5. Choose the Destination of where you want to store the AWS WAF logs from the supported destinations.
  6. For Redacted fields, select the fields you want to omit from the logs.
  7. For Filter logs, add the filter to control which requests you want to store.
  8. Choose Save.

Did this article help?


Do you need billing or technical support?