Amazon Data Firehose - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Data Firehose

To send logs to Amazon Data Firehose, you first need to set up a Firehose delivery stream. As part of that process, you choose a destination for storing your logs. After you enable logging for your firewall, Amazon Network Firewall delivers logs to the destination through the HTTPS endpoint of Amazon Data Firehose. One Amazon Network Firewall log corresponds to one Amazon Data Firehose record.

Configure an Amazon Data Firehose delivery stream for your firewall as follows.

  • Create it using the same account as you use to manage the firewall.

  • Create it in the same Region as the firewall.

  • Configure it for direct put, which allows applications to access the delivery stream directly. In the Amazon Data Firehose console, for the delivery stream Source setting, choose Direct PUT or other sources. Through the API, set the delivery stream property DeliveryStreamType to DirectPut.

For information about how to create an Amazon Data Firehose delivery stream and review the stored logs, see Creating an Amazon Data Firehose delivery stream and What is Amazon Data Firehose?

When you successfully enable logging to an Amazon Data Firehose data stream, Network Firewall creates a service linked role with the necessary permissions to write logs to it. For more information, see Using service-linked roles.

Permissions to publish logs to Amazon Data Firehose

You must have the following permissions to configure your firewall to send logs to an Amazon Data Firehose delivery stream.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" }, { "Sid": "FirewallLoggingFH", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "FirewallLoggingFH", "Action": [ "firehose:TagDeliveryStream" ], "Resource": "Amazon Data Firehose delivery stream ARN", "Effect": "Allow" } ] }