wafv2-rulegroup-logging-enabled - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Checks if Amazon CloudWatch security metrics collection on Amazon WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.

Context: Amazon WAFV2 (Web Application Firewall version 2) allows you to create Amazon WAF rules to protect your web applications from common web exploits and vulnerabilities. An Amazon WAF rule group is a collection of Amazon WAF rules that you can associate with a web ACL (Access Control List) to define the desired behavior for your web application traffic. For more information, see Amazon WAF rules and Rule groups in the Amazon WAF Developer Guide.

By configuring CloudWatch security metrics collection on Amazon WAFV2 rules group, you can monitor security metrics such as successful or failed Distributed denial of service (DDoS), SQL injection, and Cross-site scripting (XSS) attacks. The security metrics collected can help you simplify your investigations.


If there are no Amazon WAF rules in the Amazon WAFV2 rule group for the Amazon Config managed rule to check, the Amazon Config managed rule returns NON_APPLICABLE.


Resource Types: AWS::WAFv2::RuleGroup

Trigger type: Configuration changes

Amazon Web Services Region: All supported Amazon regions except Amazon GovCloud (US-East), Amazon GovCloud (US-West), Israel (Tel Aviv) Region



Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.