How do I send AWS WAF logs to an Amazon S3 bucket in a centralized logging account?

3 minute read
0

I want to send AWS WAF logs to an Amazon Simple Storage Service (Amazon S3) bucket that's in a different AWS account or AWS Region.

Resolution

To send AWS WAF logs to an Amazon S3 bucket that's in a centralized logging account, complete the following steps.

Create an S3 bucket in the centralized logging account in the selected Region

Complete the following steps:

  1. Create the Amazon S3 bucket.
  2. Enter a bucket name that starts with the aws-waf-logs- prefix.
    For example: aws-waf-logs-example-bucket.

Add a bucket policy to the Amazon S3 bucket

Add the following Amazon S3 bucket policy to your Amazon S3 bucket:

{  "Version": "2012-10-17",
  "Id": "AWSLogDeliveryWrite20150319",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceAccount": [
            "111111111111",
            "222222222222"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:region:111111111111:*",
            "arn:aws:logs:region:222222222222:*"
          ]
        }
      }
    },
    {
      "Sid": "AWSLogDeliveryAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": [
            "111111111111",
            "222222222222"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:region:111111111111:*",
            "arn:aws:logs:region:222222222222:*"
          ]
        }
      }
    }
  ]
}

In the preceding policy, replace the following values:

  • The account IDs in aws:SourceAccount with the IDs of the source accounts that you want to send logs.
  • The Amazon Resource Names (ARNs) in aws:SourceArn with the ARNs of the source resources that you want to publish logs. Use the following format: arn:aws:logs:region:source-account-id:*
  • aws-waf-logs-example-bucket with the name of your S3 bucket.

Configure your web ACLs to send the logs to the Amazon S3 bucket

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

In the following example, the Amazon S3 bucket is in a different account or Region from the AWS WAF. To configure the web access control list (web ACL), you must run the put-logging-configuration command from the account that owns the web ACL:

aws wafv2 put-logging-configuration --logging-configuration ResourceArn=arn:aws:wafv2:us-west-1:111111111111:regional/webacl/testing/b4a768c9-4895-4f35-9354-3049ab8acc29,LogDestinationConfigs=arn:aws:s3:::aws-waf-logs-example-bucket --region us-west-1

In the preceding command, replace the following values:

  • The arn for ResourceArn with your web ACL's ARN.
  • The arn for LogDestinationConfigs with the ARN of the S3 bucket that's in your centralized logging account.
  • us-west-1 with the Region where your web ACL is located. For web ACLs in the Amazon CloudFront Region (Global), replace us-west-1 with us-east-1.

Repeat the preceding step for each web ACL in your AWS WAF.

Encrypt your Amazon S3 bucket

AWS WAF supports encryption with Amazon S3 buckets for server-side encryption keys in Amazon S3 and AWS Key Management Service (AWS KMS). AWS WAF doesn't support encryption for AWS managed keys.

If you use both of the following configurations, then you must give AWS WAF permission to use your KMS key:

  • Your logging destination uses server-side encryption keys that are stored in AWS KMS.
  • You use a customer managed key.

To allow AWS WAF to log in to your Amazon S3 bucket, add the following key policy to your KMS key:

{
    "Sid": "Allow AWS WAF to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": [
            "delivery.logs.amazonaws.com"
        ]
    },
    "Action": "kms:GenerateDataKey*",
    "Resource": "*"
}

Related information

Permissions required to publish logs to Amazon S3

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago