AWSConfigRemediation-EnableWAFV2Logging - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWSConfigRemediation-EnableWAFV2Logging

Description

The AWSConfigRemediation-EnableWAFV2Logging runbook enables logging for an Amazon WAF (Amazon WAFV2) web access control list (web ACL) with the specified Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivery stream.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

  • AutomationAssumeRole

    Type: String

    Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • LogDestinationConfigs

    Type: String

    Description: (Required) The Kinesis Data Firehose delivery stream ARN that you want to associate with the web ACL.

    Note

    The Kinesis Data Firehose delivery stream ARN must begin with the prefix aws-waf-logs- . For example, aws-waf-logs-us-east-2-analytics . For more information, see Amazon Kinesis Data Firehose .

  • WebAclArn

    Type: String

    Description: (Required) ARN of the web ACL for which logging will be enabled.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • firehose:DescribeDeliveryStream

  • wafv2:PutLoggingConfiguration

  • wafv2:GetLoggingConfiguration

Document Steps

  • aws:executeScript - Enables logging for the Amazon WAFV2 web ACL and verifies that the logging has the specified configuration.