AWSConfigRemediation-EnableWAFV2Logging - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-EnableWAFV2Logging runbook enables logging for an Amazon WAF (Amazon WAFV2) web access control list (web ACL) with the specified Amazon Data Firehose (Firehose) delivery stream.

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • LogDestinationConfigs

    Type: String

    Description: (Required) The Firehose delivery stream ARN that you want to associate with the web ACL.


    The Firehose delivery stream ARN must begin with the prefix aws-waf-logs- . For example, aws-waf-logs-us-east-2-analytics . For more information, see Amazon Data Firehose .

  • WebAclArn

    Type: String

    Description: (Required) ARN of the web ACL for which logging will be enabled.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • firehose:DescribeDeliveryStream

  • wafv2:PutLoggingConfiguration

  • wafv2:GetLoggingConfiguration

Document Steps

  • aws:executeScript - Enables logging for the Amazon WAFV2 web ACL and verifies that the logging has the specified configuration.