Enable Logging for Web ACL
Question
A company is hosting a web application that is sitting behind an Application Load Balancer.
You use a WAF web ACL to protect the Application Load Balancer against SQL injection and other types of web layer attacks.
You need to enable logging to get detailed information about the traffic that is analyzed by your web ACL.
Which of the following would you need to have in place for this requirement to be fulfilled? Choose 2 options.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and C.
This is mentioned in the AWS Documentation.
You can enable logging to get detailed information about the traffic that is analyzed by your web ACL.
Information contained in the logs includes the time that AWS WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched.
To get started, you set up an Amazon Kinesis Data Firehose.
As part of that process, you choose a destination for storing your logs.
Next, you choose the web ACL that you want to enable logging for.
After you enable logging, AWS WAF delivers logs through the firehose to your storage destination.
Option B is incorrect since access logs for the ALB only say that the request was blocked because of WAF - 403 error code.
However, it doesn't provide information on the WAF rules.
Option D is incorrect since you don't necessarily need to add the Cloudfront distribution for getting the logging information.
For more information on Web Application Firewall logging, please visit the below URL.
https://docs.aws.amazon.com/waf/latest/developerguide/logging.htmlTo enable logging for a WAF web ACL, the following steps should be followed:
Enable WAF Logging: To enable WAF logging, you need to go to the AWS WAF console and select the web ACL that you want to enable logging for. Then choose the "Logging and metrics" tab and enable logging.
Choose a log destination: Once you have enabled logging, you need to choose a log destination. There are two options available: Amazon Kinesis Data Firehose or Amazon S3 bucket.
Create Amazon Kinesis Data Firehose: If you choose Amazon Kinesis Data Firehose as your log destination, you need to create a Kinesis Data Firehose delivery stream that will receive the logs from WAF.
Use ALB Access Logs: ALB access logs provide detailed information about the traffic that is analyzed by WAF. You can use these logs to get information about the traffic that is allowed or denied by WAF.
Use CloudFront Distribution: If you want to use a CloudFront distribution behind the ELB, you can use the access logs from the CloudFront distribution to get detailed information about the traffic that is analyzed by WAF.
Therefore, the correct options to fulfill this requirement would be A and C. Enable the web ACL logging in the AWS WAF console and Create an Amazon Kinesis Data Firehose for the WAF logging. Option B is incorrect because ALB access logs do not provide information about WAF deny rules. Option D is also incorrect because CloudFront distribution is not necessary to enable logging for a WAF web ACL.
