Amazon CloudWatch Logs - Amazon Network Firewall
Permissions to publish logs to CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon CloudWatch Logs

To send logs to Amazon CloudWatch Logs, you create a CloudWatch Logs log group. When you enable logging in Network Firewall, you provide the log group name. After you enable logging for your firewall, Amazon Network Firewall delivers logs to the CloudWatch Logs log group in log streams. Each log stream contains an hour of log records.

You can use any name for your CloudWatch Logs log group. Configure the log group in the same Region as the firewall and using the same account as you use to manage the firewall.

For information about configuring a CloudWatch Logs log group, see Working with Log Groups and Log Streams.

Names of alert and flow logs

When you configure your Network Firewall firewall to send alert and flow logs to the log group, the resulting log streams have the following naming format: 

/aws/network-firewall/log-type/firewall-name_YYYY-MM-DD-HH

In the specification, the log type is either alert or flow.

The following shows an example log stream created on October 1, 2020, at 5 pm for alert logging for firewall test-firewall. 

/aws/network-firewall/alert/test-firewall_2020-10-01-17
Names of TLS logs

When you configure your Network Firewall firewall to send TLS logs to the log group, the resulting log streams have the following naming format: 

/aws/network-firewall/tls/firewall-name

The following shows the log stream for TLS logging for the example firewall test-firewall. 

/aws/network-firewall/tls/test-firewall

Permissions to publish logs to CloudWatch Logs

You must have the following permissions settings to configure your firewall to send logs to a CloudWatch Logs log group. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogDelivery",
                "logs:GetLogDelivery",
                "logs:UpdateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:ListLogDeliveries"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Sid": "FirewallLogging"
        },
        {
            "Sid": "FirewallLoggingCWL",
            "Action": [
                "logs:PutResourcePolicy",
                "logs:DescribeResourcePolicies",
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "CloudWatch Logs log group ARN"
            ],
            "Effect": "Allow"
        }
    ]
}