How to enable logging for WebACL in AWS WAF using Cloudformation?

3
votes

I was going through AWS WAF Cloudformation documentation and I couldn't see a way to enable logging. I can enable logging by console, however I want to do it by Cloudformation so that it is enabled by default in new stacks.

How do I enable logging in AWS WAF WebACL by Cloudformation.

Thanks

4
amazon-web-servicesamazon-cloudformationamazon-waf
There isn't a way to do this natively with cloudformation. You'll have to write a custom lambda resource to do this.WarrenG

4 Answers

2
votes

It is not supported right now. Likely because of this:

If you are capturing logs for Amazon CloudFront, create the firehose in US East (N. Virginia)

Which means this stack would need to be creating resources in multiple regions.

You can track and vote for the issue on the CloudFormation road-map page here

1
votes

It's not available at the moment but it is possible to use AWS Config to set up logging as new web ACLs are created.

0
votes

AWS WAF Security Automations has used lambda to sovle this.

   ConfigureAWSWAFLogs:
    Type: 'Custom::ConfigureAWSWAFLogs'
    Condition: HttpFloodProtectionLogParserActivated
    Properties:
      ServiceToken: !GetAtt CustomResource.Arn
      WAFWebACLArn: !GetAtt WebACLStack.Outputs.WAFWebACLArn
      DeliveryStreamArn: !GetAtt FirehoseAthenaStack.Outputs.FirehoseWAFLogsDeliveryStreamArn

CustomResource lambda funtion

elif event['ResourceType'] == "Custom::ConfigureAWSWAFLogs":
            if 'CREATE' in request_type:
                put_logging_configuration(log, event['ResourceProperties']['WAFWebACLArn'],
                                          event['ResourceProperties']['DeliveryStreamArn'])

check it out at https://github.com/awslabs/aws-waf-security-automations

0
votes

It's already available. Official documentation here

Related release note for added support (CloudWatch and S3) here