Ensure Logging is enabled for WAF Web Access Control Lists

Error: AWS WAF Web Access Control Lists logging is disabled
Bridgecrew Policy ID: BC_AWS_LOGGING_31
Checkov Check ID: CKV_AWS_176
Severity: TBD

AWS WAF Web Access Control Lists logging is disabled

Description

Amazon WAF is a web application firewall service that lets you monitor web requests that are forwarded to Amazon API Gateway APIs, Amazon CloudFront distributions, or Application Load Balancers in order to help protect them from attacks. To get detailed information about the web traffic analyzed by your Web Access Control Lists (Web ACLs) you must enable logging. The log entries include the time that Amazon WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched. You can also send these logs to an Amazon Kinesis Firehose delivery stream with a configured storage destination.

Fix - Buildtime

Terraform

Resource: aws_waf_web_acl
Attribute: logging_configuration

resource "aws_waf_web_acl" "example" {
  # ... other configuration ...
  logging_configuration {
    log_destination = "${aws_kinesis_firehose_delivery_stream.example.arn}"

    redacted_fields {
      field_to_match {
        type = "URI"
      }

      field_to_match {
        data = "referer"
        type = "HEADER"
      }
    }
  }
}