Top / Amazon Web Service / AWS WAF V2 / Web ACL Logging Configuration

AWS WAF V2 Web ACL Logging Configuration

This page shows how to write Terraform and CloudFormation for AWS WAF V2 Web ACL Logging Configuration and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_wafv2_web_acl_logging_configuration (Terraform)

The Web ACL Logging Configuration in AWS WAF V2 can be configured in Terraform with the resource name aws_wafv2_web_acl_logging_configuration. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

waf.tf#L640
resource "aws_wafv2_web_acl_logging_configuration" "firehose_waf_logs" {
  log_destination_configs = [aws_kinesis_firehose_delivery_stream.firehose_waf_logs.arn]
  resource_arn            = aws_wafv2_web_acl.key_submission.arn
  redacted_fields {
    single_header {
      name = "authorization"
waf.tf#L714
resource "aws_wafv2_web_acl_logging_configuration" "firehose_waf_logs" {
  log_destination_configs = [aws_kinesis_firehose_delivery_stream.firehose_waf_logs.arn]
  resource_arn            = aws_wafv2_web_acl.key_submission.arn
  redacted_fields {
    single_header {
      name = "authorization"
main.tf#L8
resource "aws_wafv2_web_acl_logging_configuration" "default" {
  count = module.this.enabled && length(var.log_destination_configs) > 0 ? 1 : 0

  log_destination_configs = var.log_destination_configs
  resource_arn            = join("", aws_wafv2_web_acl.default.*.arn)
wafv2cloudfront.tf#L60
resource "aws_wafv2_web_acl_logging_configuration" "WafV2WebAclCloudfrontLogging" {
    log_destination_configs = [aws_kinesis_firehose_delivery_stream.KinesisFirehoseDeliveryStream.arn]
    resource_arn = aws_wafv2_web_acl.WafV2CloudfrontWebAcl.arn
wafv2regional.tf#L60
resource "aws_wafv2_web_acl_logging_configuration" "WafV2WebAclRegionalLogging" {
    log_destination_configs = [aws_kinesis_firehose_delivery_stream.KinesisFirehoseDeliveryStream.arn]
    resource_arn = aws_wafv2_web_acl.WafV2RegionalWebAcl.arn

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

AWS Kinesis Firehose Delivery Stream ARNs

AWS WebACL ARN

>> from Terraform Registry

Explanation in Terraform Registry

Creates a WAFv2 Web ACL Logging Configuration resource. -> Note: To start logging from a WAFv2 Web ACL, an Amazon Kinesis Data Firehose (e.g., aws_kinesis_firehose_delivery_stream resource must also be created with a PUT source (not a stream) and in the region that you are operating. If you are capturing logs for Amazon CloudFront, always create the firehose in US East (N. Virginia). Be sure to give the data firehose a name that starts with the prefix aws-waf-logs-.

>> from Terraform Registry

AWS::WAFv2::LoggingConfiguration (CloudFormation)

The LoggingConfiguration in WAFv2 can be configured in CloudFormation with the resource name AWS::WAFv2::LoggingConfiguration. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

waf.yml#L64
    Type: AWS::WAFv2::LoggingConfiguration
    Properties:
      ResourceArn: !GetAtt WebACL.Arn
      LogDestinationConfigs:
        - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-${ProjectName}
create.json#L4
      "Type": "AWS::WAFv2::LoggingConfiguration",
      "Properties": {
        "ResourceArn": "arn:aws:wafv2:ap-southeast-1:663901866008:regional/webacl/test-webacl-v2/bf0b1418-418e-4c38-891e-7fa303355908",
        "LogDestinationConfigs": [
          "arn:aws:firehose:ap-southeast-1:663901866008:deliverystream/aws-waf-logs-firehose-2"
        ],

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Defines an association between Amazon Kinesis Data Firehose destinations and a web ACL resource, for logging from AWS WAF. As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records.

>> from AWS CloudFormation Documentation

The Other Related AWS WAF V2 Resources

Frequently asked questions

What is AWS WAF V2 Web ACL Logging Configuration?

AWS WAF V2 Web ACL Logging Configuration is a resource for WAF V2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS WAF V2 Web ACL Logging Configuration?

For Terraform, the indeni/cloudrail-knowledge, cds-snc/covid-alert-server-staging-terraform and prodapt-cloud/TerraformRepo source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the antklim/serverless-form and aws-cloudformation/aws-cloudformation-resource-providers-wafv2 source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents