AWSConfigRemediation-EnableWAFClassicLogging
Description
The AWSConfigRemediation-EnableWAFClassicLogging
runbook enables
logging to Amazon Data Firehose (Firehose) for the Amazon WAF web access control list (web ACL) you
specify.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
DeliveryStreamName
Type: String
Description: (Required) The name of the Firehose delivery stream that you want to send logs to.
-
WebACLId
Type: String
Description: (Required) The ID of the Amazon WAF web ACL that you want to enable logging on.
Required IAM permissions
The AutomationAssumeRole
parameter requires the following actions to
use the runbook successfully.
-
ssm:StartAutomationExecution
-
ssm:GetAutomationExecution
-
iam:CreateServiceLinkedRole
-
waf:GetLoggingConfiguration
-
waf:GetWebAcl
-
waf:PutLoggingConfiguration
Document Steps
-
aws:executeAwsApi
- Confirms the delivery stream you specify in theDeliveryStreamName
exists. -
aws:executeAwsApi
- Gathers the ARN of the Amazon WAF web ACL specified in theWebACLId
parameter. -
aws:executeAwsApi
- Enables logging for the web ACL. -
aws:assertAwsResourceProperty
- Verifies logging has been enabled on the Amazon WAF web ACL.