AWS WAF_AWSManagedRulesAnonymousIpList

0

Hello,

I've enabled the AWS WAF service in my project. I've also set the rule action of HostingProviderIPList Rule in AWSManagedRulesAnonymousIpList as "Challenge." After analyzing the WAF logs from Cloudwatch, I noticed that the log was incomplete and we can see that only the main rule action is "Challenge," and there's no indication of whether the client passed or failed the challenge. Furthermore, there are no logs showing what happened after the challenge, such as the execution of the challenge.js script or the generation of a token for retrying the request. How can I find out what happened next? Please Help!

1 Answer
3

Hello Elson,

Default AWS WAF logs lack details on challenge responses. To gain insights:

  • Enable logging for specific fields like request_headers in your WAF logging configuration.
  • Check CloudTrail logs around the challenge timeframe for WAF events (e.g., wafv2:RuleAction).

Web ACL logging configuration: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html

Logging and monitoring in AWS WAF: https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.html

profile picture
EXPERT
answered 6 months ago
  • Thank you for your answer. Unfortunately, the AWS WAF logging configuration doesn't allow you to enable logging for specific fields like request_headers. Also, when I checked the CloudTrail log, it only showed the events originating from my actions.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions