wafv2-rulegroup-logging-enabled
Checks if Amazon CloudWatch security metrics collection on Amazon WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
Context: Amazon WAFV2 (Web Application Firewall version 2) allows you to create Amazon WAF rules to protect your web applications from common web exploits and vulnerabilities. An Amazon WAF rule group is a collection of Amazon WAF rules that you can associate with a web ACL (Access Control List) to define the desired behavior for your web application traffic. For more information, see Amazon WAF rules and Rule groups in the Amazon WAF Developer Guide.
By configuring CloudWatch security metrics collection on Amazon WAFV2 rules group, you can monitor security metrics such as successful or failed Distributed denial of service (DDoS), SQL injection, and Cross-site scripting (XSS) attacks. The security metrics collected can help you simplify your investigations.
Note
If there are no Amazon WAF rules in the Amazon WAFV2 rule group for the Amazon Config managed rule to check, the Amazon Config managed rule returns NON_APPLICABLE.
Identifier: WAFV2_RULEGROUP_LOGGING_ENABLED
Resource Types: AWS::WAFv2::RuleGroup
Trigger type: Configuration changes
Amazon Web Services Region: All supported Amazon regions except US ISO West, US ISO East, Asia Pacific (Malaysia), US ISOB East, Amazon GovCloud (US-East), Amazon GovCloud (US-West), Canada West (Calgary) Region
Parameters:
- None
Amazon CloudFormation template
To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.