Logging Web ACL Data in Amazon Kinesis

Ensure WAF Rules are Logged 
Best practice for AWS WAF rules is to maintain logging in order to gain details about the traffic that is analyzed by your web access control lists (ACLs). In this demo, AWS expert Mike Wise will walk through how to identify whether you have logging enabled on web ACLs. 

  1. Navigate to the WAF & Shield Dashboard, then select the Web ACLs section.
  2. Choose a web ACL to analyze. On the Logging and Metrics tab, you will see options to enable, edit, or disable logging. Is logging for this web ACL enabled or disabled? If disabled, Amazon Kinesis will not receive logs. 
  3. In this demonstration, we’ll show you what a web ACL configured for logging should look like. Under the Logging and Metrics tab, select Edit Logging to view logging details. When Amazon Kinesis Data Firehose is set up, the logging details will show you which delivery stream your WAF is configured to deliver logs to. 

For a visual guide on how to configure logging with WAF rules, web ACLs, and Amazon Kinesis Data Firehose, watch the full demo. Learn more about logging web ACL traffic information and creating an Amazon Kinesis Data Firehose delivery stream

Hello everyone! Thank you for coming to today’s demo. Today we’re going to talk about logging of WAF rules. Many organizations have compliance rules that require logging to be enabled. They have specific things that they need to retain for a certain amount of time – one of them being what’s going on with their WAF. A general best practice by AWS is that you’re going to be instituting logging in your WAF rule environment. The reason that you do this is because it allows you to get detailed information about the traffic that is analyzed by your web ACLs. What we’re going to do today is go look at some web ACL rules via the WAF and we’re going to look at the logging configurations so we can identify when logging is present and when logging is disabled. 

First, you will log in to your AWS Management Console. Then you’ll search for “WAF” in the search bar. That will take you to the AWS WAF management screen. You’re going to click on “Web ACLs.” AS you can see here, we have two different web ACLs set up. We’re going to be each one so you can see the differences in the configurations. Let’s look at the first web ACL. The important part to look at, in terms of your ACL being logged, is this “Logging and Metrics” tab. As you can see here, we have the logging disabled. That means that we’re not getting those detailed logs received by the backend, which is going to be the Amazon Kinesis. Now, let’s go look at what a configured ACL with logging looks like. Go back to “Logging and Metrics” and as you can see, it says that logging is enabled. 

Let’s go look at the logging settings and see what’s actually going on behind the scenes. If you go look at this, you can see that we have an Amazon Kinesis Data Firehose delivery system configured, which is what’s ingesting all of the rule hits that are going to be analyzed or logged later on. This is pushing into Amazon Kinesis and then to its specific destination source based on what the Amazon Kinesis Firehouse Delivery system specifies. This can be pushed into a SIEM if you have a third-party SIEM tool, it can go into an S3 bucket, it can go into several different places. The key thing here is that you’re getting that data and it’s going somewhere for long-term storage. In the event that you do need to analyze that data or it’s being automatically analyzed by some kind of tool, it has that storage ability, it has that ability to be analyzed and to be reviewed. When you’re setting up your web ACLs as part of your WAF deployment, make sure you’re enabling this logging via Amazon Kinesis so it can be appropriately stored. That’s the end of this demo – thanks, and have a great day! 

Related Videos