Ensure WAF2 has a Logging Configuration

Error: AWS WAF2 does not have a Logging Configuration
Bridgecrew Policy ID: BC_AWS_LOGGING_33
Checkov Check ID: CKV2_AWS_31
Severity: LOW

AWS WAF2 does not have a Logging Configuration


You can enable comprehensive logging on a web access control list (web ACL) using an Amazon Kinesis Data Firehose stream destined to an Amazon S3 bucket in the same Region. To do so, you must use three AWS services:
AWS WAF to create the logs
Kinesis Data Firehose to receive the logs
Amazon S3 to store the logs
Note: AWS WAF and Kinesis Data Firehose must be running in the same Region.

Fix - Buildtime


  • Resource: aws_wafv2_web_acl
  • Attribute: visibility_config - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.
resource "aws_wafv2_web_acl" "example" {
  name        = "rate-based-example"
  description = "Example of a rate based statement."
  scope       = "REGIONAL"

++    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false

++ resource "aws_wafv2_web_acl_logging_configuration" "example" {
  log_destination_configs = [aws_kinesis_firehose_delivery_stream.example.arn]
  resource_arn            = aws_wafv2_web_acl.example.arn
  redacted_fields {
    single_header {
      name = "user-agent"