This is the new Amazon CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the Amazon CloudFormation User Guide.
AWS::NetworkFirewall::LoggingConfiguration
Use the logging configuration to define the destinations and logging options for an firewall.
You must change the logging configuration by changing one LogDestinationConfig setting at a time in your LogDestinationConfigs. 
You can make only one of the following changes to your logging configuration resource:
- 
                    Create a new log destination object by adding a single LogDestinationConfigarray element toLogDestinationConfigs.
- 
                    Delete a log destination object by removing a single LogDestinationConfigarray element fromLogDestinationConfigs.
- 
                    Change the LogDestinationsetting in a singleLogDestinationConfigarray element.
You can't change the LogDestinationType or LogType in a
            LogDestinationConfig. To change these settings, delete the existing
            LogDestinationConfig object and create a new one, in two separate modifications. 
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::NetworkFirewall::LoggingConfiguration", "Properties" : { "EnableMonitoringDashboard" :Boolean, "FirewallArn" :String, "FirewallName" :String, "LoggingConfiguration" :LoggingConfiguration} }
YAML
Type: AWS::NetworkFirewall::LoggingConfiguration Properties: EnableMonitoringDashboard:BooleanFirewallArn:StringFirewallName:StringLoggingConfiguration:LoggingConfiguration
Properties
- EnableMonitoringDashboard
- Property description not available. - Required: No - Type: Boolean - Update requires: No interruption 
- FirewallArn
- 
                    The Amazon Resource Name (ARN) of the firewallthat the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration. Required: Yes Type: String Pattern: ^arn:aws.*$Minimum: 1Maximum: 256Update requires: Replacement 
- FirewallName
- 
                    The name of the firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration. Required: No Type: String Pattern: ^[a-zA-Z0-9-]+$Minimum: 1Maximum: 128Update requires: Replacement 
- LoggingConfiguration
- 
                    Defines how Amazon Network Firewall performs logging for a firewall. Required: Yes Type: LoggingConfiguration Update requires: No interruption 
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall that the logging configuration is associated with. For example: 
                        { "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall/myFirewallName" }
                    
For more information about using the Ref function, see Ref.
Examples
Create a logging configuration for CloudWatch Logs and Kinesis Data Firehose
The following shows example logging configuration specifications for alert logs that go to an Amazon CloudWatch Logs log group and flow logs that go to an Amazon Kinesis Data Firehose delivery stream.
JSON
"SampleLoggingConfiguration": { "Type": "AWS::NetworkFirewall::LoggingConfiguration", "Properties": { "FirewallArn": { "Ref": "SampleFirewallArn" }, "LoggingConfiguration": { "LogDestinationConfigs": [ { "LogType": "ALERT", "LogDestinationType": "CloudWatchLogs", "LogDestination": { "logGroup": "SampleLogGroup" } }, { "LogType": "FLOW", "LogDestinationType": "KinesisDataFirehose", "LogDestination": { "deliveryStream": "SampleStream" } } ] } } }
YAML
SampleLoggingConfiguration: Type: 'AWS::NetworkFirewall::LoggingConfiguration' Properties: FirewallArn: !Ref SampleFirewallArn LoggingConfiguration: LogDestinationConfigs: - LogType: ALERT LogDestinationType: CloudWatchLogs LogDestination: logGroup: SampleLogGroup - LogType: FLOW LogDestinationType: KinesisDataFirehose LogDestination: deliveryStream: SampleStream
Create a logging configuration for Amazon S3
The following shows example logging configuration specifications for flow logs that go to an Amazon S3 bucket.
JSON
"SampleLoggingConfiguration": { "Type": "AWS::NetworkFirewall::LoggingConfiguration", "Properties": { "FirewallArn": { "Ref": "SampleFirewallArn" }, "LoggingConfiguration": { "LogDestinationConfigs": [ { "LogType": "FLOW", "LogDestinationType": "S3", "LogDestination": { "bucketName": "sample-bucket-name", "prefix": "sample/s3/prefix" } } ] } } }
YAML
SampleLoggingConfiguration: Type: 'AWS::NetworkFirewall::LoggingConfiguration' Properties: FirewallArn: !Ref SampleFirewallArn LoggingConfiguration: LogDestinationConfigs: - LogType: FLOW LogDestinationType: S3 LogDestination: bucketName: sample-bucket-name prefix: sample/s3/prefix