AWS Certified SysOps Administrator - Associate | WAF ACL Configuration and Monitoring

Check WAF ACL Traffic | Blocked, Allowed, and Counted Requests

Question

The team is configuring a WAF ACL to filter the ingress traffic for a new Application Load Balancer.

The team needs to check which requests were blocked, allowed, or counted and whether the requests matched the WAF ACL rule properly.

Which of the following options is suitable?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

Option A is incorrect because there are no request details in the WAF CloudWatch metrics.

Option B is CORRECT because, for each sampled request, users can get the request details and determine whether the rule works as expected.

Option C is incorrect because VPC flow logs will not contain the request details filtered by the WAF ACL rule.

Option D is incorrect because WAF logs can only be forwarded to a Kinesis Data Firehose instead of an S3 bucket.

There is no need to use Athena as well.

References:

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-testing.html#web-acl-testing-view-sample https://aws.amazon.com/waf/faqs/

The correct answer for the given scenario is option D - Enable WAF logs and save the logs in an S3 bucket. Use Athena to analyze the details for the WAF ACL rule.

Explanation: AWS WAF (Web Application Firewall) is a web application firewall service that helps protect web applications from common web exploits. AWS WAF also gives you control over which traffic to allow or block to your web applications. When you use AWS WAF with an Application Load Balancer, you can define web access control lists (web ACLs) that can be associated with the load balancer's listener. A web ACL is a collection of rules that AWS WAF uses to inspect web requests and that defines conditions for allowing or blocking requests based on IP addresses, HTTP headers, and more.

In order to check which requests were blocked, allowed, or counted, and whether the requests matched the WAF ACL rule properly, you need to enable WAF logs and save the logs in an S3 bucket. AWS WAF logs contain detailed information about web requests that are inspected by AWS WAF, including information about the web request, the rule that matched the web request, and the action taken by AWS WAF.

Once the WAF logs are enabled, you can use Amazon Athena, an interactive query service, to analyze the logs and view the details for the WAF ACL rule. Athena allows you to run SQL queries on the log data and provides options to filter, group, and aggregate the data to get the desired results.

Option A - In the CloudWatch metrics, view the request details for the WAF ACL is not the correct option as CloudWatch metrics provide aggregated data for a specific metric, such as the number of requests that matched a particular rule or the number of requests that were allowed or blocked. However, it does not provide detailed information about individual requests.

Option B - In the AWS WAF console, enable request sampling for the WAF ACL and view the detailed data of the sample requests is also not the correct option as request sampling only provides a subset of the total requests, and it may not provide a comprehensive view of the WAF ACL rule.

Option C - Enable VPC flow logs, create a log filter for the WAF ACL, and view the request details is not the correct option as VPC flow logs capture information about the IP traffic going to and from network interfaces in a VPC, including AWS WAF. However, it does not provide the detailed information about the requests that are required to analyze the WAF ACL rule.