Configuring logging for an Amazon Network Firewall policy - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring logging for an Amazon Network Firewall policy

This section explains how you can enable centralized logging for your Network Firewall policies to get detailed information about traffic within your organization. You can select flow logging to capture network traffic flow, or alert logging to report traffic that matches a rule with the rule action set to DROP or ALERT. For more information about Amazon Network Firewall logging, see Logging network traffic from Amazon Network Firewall in the Amazon Network Firewall Developer Guide.

You send logs from your policy's Network Firewall firewalls to an Amazon S3 bucket. After you enable logging, Amazon Network Firewall delivers logs for each configured Network Firewall by updating the firewall settings to deliver logs to your selected Amazon S3 buckets with the reserved Amazon Firewall Manager prefix, <policy-name>-<policy-id>.

Note

This prefix is used by Firewall Manager to determine whether a logging configuration was added by Firewall Manager, or whether it was added by the account owner. If the account owner attempts to use the reserved prefix for their own custom logging, it is overwritten by the logging configuration in the Firewall Manager policy.

For more information about how to create an Amazon S3 bucket and review the stored logs, see What is Amazon S3? in the Amazon Simple Storage Service User Guide.

To enable logging you must meet the following requirements:

  • The Amazon S3 that you specify in your Firewall Manager policy must exist.

  • You must have the following permissions:

    • logs:CreateLogDelivery

    • s3:GetBucketPolicy

    • s3:PutBucketPolicy

  • If the Amazon S3 bucket that's your logging destination uses server-side encryption with keys that are stored in Amazon Key Management Service, you must add the following policy to your Amazon KMS customer-managed key to allow Firewall Manager to log to your CloudWatch Logs log group:

    
{
    "Effect": "Allow",
    "Principal": {
        "Service": "delivery.logs.amazonaws.com"
    },
    "Action": [
        "kms:Encrypt*",
        "kms:Decrypt*",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:Describe*"
    ],
    "Resource": "*"
}

Note that only buckets in the Firewall Manager administrator account may be used for Amazon Network Firewall central logging.

When you enable centralized logging on a Network Firewall policy, Firewall Manager takes these actions on your account:

  • Firewall Manager updates the permissions on selected S3 buckets to allow for log delivery.

  • Firewall Manager creates directories in the S3 bucket for each member account in the scope of the policy. The logs for each account can be found at <bucket-name>/<policy-name>-<policy-id>/AWSLogs/<account-id>.

To enable logging for a Network Firewall policy

  1. Create an Amazon S3 bucket using your Firewall Manager administrator account. For more information, see Creating a bucket in the Amazon Simple Storage Service User Guide.

  2. Sign in to the Amazon Web Services Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see Amazon Firewall Manager prerequisites.

    Note

    For information about setting up a Firewall Manager administrator account, see Amazon Firewall Manager prerequisites.

  3. In the navigation pane, choose Security Policies.

  4. Choose the Network Firewall policy that you want to enable logging for. For more information about Amazon Network Firewall logging, see Logging network traffic from Amazon Network Firewall in the Amazon Network Firewall Developer Guide.

  5. On the Policy details tab, in the Policy rules section, choose Edit.

  6. To enable and aggregate logs, choose one or more options under Logging configuration:

    • Enable and aggregate flow logs

    • Enable and aggregate alert logs

  7. Choose the Amazon S3 bucket where you want your logs to be delivered. You must choose a bucket for each log type that you enable. You can use the same bucket for both log types.

  8. (Optional) If you want custom member account-created logging to be replaced with the policy’s logging configuration, choose Override existing logging configuration.

  9. Choose Next.

  10. Review your settings, then choose Save to save your changes to the policy.

To disable logging for a Network Firewall policy

  1. Sign in to the Amazon Web Services Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see Amazon Firewall Manager prerequisites.

    Note

    For information about setting up a Firewall Manager administrator account, see Amazon Firewall Manager prerequisites.

  2. In the navigation pane, choose Security Policies.

  3. Choose the Network Firewall policy that you want to disable logging for.

  4. On the Policy details tab, in the Policy rules section, choose Edit.

  5. Under Logging configuration status, deselect Enable and aggregate flow logs and Enable and aggregate alert logs if they are selected.

  6. Choose Next.

  7. Review your settings, then choose Save to save your changes to the policy.