How do I send AWS WAF logs to an Amazon S3 bucket in a centralized logging account?
I want to send AWS WAF logs to an Amazon Simple Storage Service (Amazon S3) bucket that's in a different AWS account or AWS Region.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Create an S3 bucket
Create the S3 bucket in the centralized logging account in the selected Region. For bucket name, enter a bucket name that starts with the aws-waf-logs- prefix such as aws-waf-logs-example-bucket.
Add a bucket policy to the S3 bucket
Add the following S3 bucket policy to your S3 bucket:
{ "Version": "2012-10-17", "Id": "AWSLogDeliveryWrite20150319", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket/AWSLogs/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": [ "111111111111", "222222222222" ] }, "ArnLike": { "aws:SourceArn": [ "arn:aws:logs:region:111111111111:*", "arn:aws:logs:region:222222222222:*" ] } } }, { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket", "Condition": { "StringEquals": { "aws:SourceAccount": [ "111111111111", "222222222222" ] }, "ArnLike": { "aws:SourceArn": [ "arn:aws:logs:region:111111111111:*", "arn:aws:logs:region:222222222222:*" ] } } } ] }
In the preceding policy, replace the following values:
- The account IDs in aws:SourceAccount with the IDs of the source accounts that you want to send logs.
- The Amazon Resource Names (ARNs) in aws:SourceArn with the ARNs of the source resources that you want to publish logs. Use the following format: arn:aws:logs:region:source-account-id:*
- aws-waf-logs-example-bucket with the name of your S3 bucket.
Configure your web ACLs to send the logs to the S3 bucket
In the following example, the S3 bucket is in a different account or Region from the AWS WAF. To configure the web access control list (web ACL), you must run the put-logging-configuration command from the account that owns the web ACL:
aws wafv2 put-logging-configuration --logging-configuration ResourceArn=arn:aws:wafv2:us-west-1:111111111111:regional/webacl/testing/b4a768c9-4895-4f35-9354-3049ab8acc29,LogDestinationConfigs=arn:aws:s3:::aws-waf-logs-example-bucket --region us-west-1
In the preceding command, replace the following values:
- The arn for ResourceArn with your web ACL's ARN.
- The arn for LogDestinationConfigs with the ARN of the S3 bucket that's in your centralized logging account.
- us-west-1 with the Region where your web ACL is located. For web ACLs in the Amazon CloudFront Region (Global), replace us-west-1 with us-east-1.
Repeat the preceding step for each web ACL in your AWS WAF.
Encrypt your S3 bucket
AWS WAF supports encryption with S3 buckets for server-side encryption keys in Amazon S3 and AWS Key Management Service (AWS KMS). AWS WAF doesn't support encryption for AWS managed keys.
If you use both of the following configurations, then AWS WAF requires permission to use your KMS key:
- Your logging destination uses server-side encryption keys that AWS KMS stores.
- You use a customer managed key.
To allow AWS WAF to log in to your S3 bucket, add the following key policy to your KMS key:
{ "Sid": "Allow AWS WAF to use the key", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com" ] }, "Action": "kms:GenerateDataKey*", "Resource": "*" }
Related information
- Tags
- AWS WAF
- Language
- English
Relevant content
- asked 2 years ago
