How do I send AWS WAF logs to an Amazon S3 bucket in a centralized logging account?

3 minute read
0

I want to send AWS WAF logs to an Amazon Simple Storage Service (Amazon S3) bucket that's in a different account or AWS Region.

Resolution

To send AWS WAF logs to an Amazon S3 bucket that's in a centralized logging account, complete the steps in the following sections.

Create an S3 bucket in the centralized logging account in your selected Region

1.    Create an S3 bucket in the centralized logging account for your selected AWS Region.

2.    Enter a bucket name that starts with the prefix aws-waf-logs-. For example, name your bucket similar to aws-waf-logs-example-bucket.

Create and add a bucket policy to the S3 bucket

Add the following S3 bucket policy to your S3 bucket:

Important:

  • Replace the account IDs in aws:SourceAccount with the list of source account IDs that you want to send logs to this bucket.
  • Replace the ARNs in aws:SourceArn with the list of ARNs of source resources that you want to publish logs to this bucket. Use the format of arn:aws:logs:*:source-account-id:*.
  • Replace the S3 bucket name aws-waf-logs-example-bucket in Resource with the name of your S3 bucket.
{
  "Version": "2012-10-17",
  "Id": "AWSLogDeliveryWrite20150319",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceAccount": [
            "111111111111",
            "222222222222"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:*:111111111111:*",
            "arn:aws:logs:*:222222222222:*"
          ]
        }
      }
    },
    {
      "Sid": "AWSLogDeliveryAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::aws-waf-logs-example-bucket",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": [
            "111111111111",
            "222222222222"
          ]
        },
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:logs:*:111111111111:*",
            "arn:aws:logs:*:222222222222:*"
          ]
        }
      }
    }
  ]
}

Configure your web ACLs to send the logs to the desired S3 bucket

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

You must configure your web ACLs to send the AWS WAF logs to the centralized logging account's S3 bucket. To configure a web ACL, run the put-logging-configuration AWS CLI command from the account that owns the web ACL.

Important:

  • Replace the ResourceArn value with your web ACLs ARN.
  • Replace LogDestinationConfigs value with the ARN of the S3 bucket that's in your centralized logging account.
  • Replace region with the AWS Region where your web ACL is located.
aws wafv2 put-logging-configuration --logging-configuration ResourceArn=arn:aws:wafv2:eu-west-1: 111111111111:regional/webacl/testing/b4a768c9-4895-4f35-9354-3049ab8acc29,LogDestinationConfigs=arn:aws:s3:::aws-waf-logs-example-bucket --region eu-west-1

Note: For web ACLs in the CloudFront(Global) Region, use us-east-1 as the Region in preceding command.

Repeat the preceding put-logging-configuration command for each of your web ACLs.


Related information

Permissions to publish logs to Amazon S3

AWS OFFICIAL
AWS OFFICIALUpdated a year ago