Web Application Firewall (WAF) is critical for securing web applications against threats like SQL injection and cross-site scripting. However, managing WAF logging manually can be cumbersome and error-prone. Automating WAF logging ensures consistent monitoring and remediation, enhancing security posture while reducing operational overhead.
This guide will explore how to automate WAF logging using AWS Config Rules and SSM Automation. Let’s examine the key steps involved.
The Need for WAF Logging Automation and Objectives
Manually enabling and monitoring WAF logging is a labor-intensive process that increases the likelihood of human error. Automating WAF logging offers several benefits:
- Consistency: Ensures logging is always enabled across WAF resources.
- Compliance: Helps meet regulatory and organizational audit requirements.
- Quick Remediation: Detects and fixes logging misconfigurations in real time.
Objective: Set up an automated system to detect disabled WAF logging, trigger a remediation process, and enable logging using AWS Config and SSM Automation.
Step 1: Creating an IAM Role
You must create an IAM role with the appropriate permissions to allow AWS Config and SSM Automation to interact with WAF.
- Access the IAM Console:
- Go to the IAM Management Console.
- Click Roles > Create Role.
- Select Trusted Entity:
- Choose AWS Service and select SSM and Config as trusted entities.
- Attach Policies:
- Attach the following managed policies:
- AWSWAFFullAccess
- AmazonSSMFullAccess
- AWSConfigRole
- (Optional) Create a custom policy with restricted permissions for logging and remediation tasks.
- Attach the following managed policies:
- Role Creation:
- Provide a name (e.g., WAFLoggingAutomationRole) and finalize the creation.
Step 2: Generating an SSM Automation Document
SSM Automation Documents (runbooks) define the steps needed to remediate issues. In this case, the document will enable WAF logging.
- Create an SSM Document:
- Navigate to the SSM Documents Console.
- Click Create Document > Automation Document.
- Define the Automation Script: Use the following JSON snippet as an example:
{
“schemaVersion”: “0.3”,
“description”: “Enable WAF logging for a specified WebACL.”,
“parameters”: {
“WebACLId”: {
“type”: “String”,
“description”: “The ID of the WAF WebACL to enable logging for.”
},
“LogDestination”: {
“type”: “String”,
“description”: “The ARN of the log destination (e.g., CloudWatch Log Group).”
}
},
“mainSteps”: [
{
“action”: “aws:executeAwsApi”,
“name”: “EnableWAFLogging”,
“inputs”: {
“Service”: “wafv2”,
“Api”: “PutLoggingConfiguration”,
“LoggingConfiguration”: {
“ResourceArn”: “{{ WebACLId }}”,
“LogDestinationConfigs”: [“{{ LogDestination }}”]
}
}
}
]
}
- Save the Document:
- Name the document (e.g., EnableWAFLoggingAutomation).
- Set document permissions for the IAM role created earlier.
Step 3: Creating a Config Rule
AWS Config continuously evaluates the state of your resources against desired configurations. Here’s how to create a rule to detect and fix disabled WAF logging.
- Access AWS Config Console:
- Navigate to AWS Config.
- Create a Custom Config Rule:
- Click Rules > Add Rule > Custom Rule.
- Define the Rule:
- Name: WAFLoggingCheck
- Trigger Type: Configuration changes.
- Target Lambda Function: Create or select a Lambda function that evaluates whether WAF logging is enabled.
- Remediation Action:
- Attach the SSM Automation document (EnableWAFLoggingAutomation) to the rule.
- Configure the automation parameters to include the WebACL ID and log destination.
Conclusion
Combining AWS Config Rules and SSM Automation, you can efficiently automate WAF logging, ensuring your web applications remain secure and compliant. This setup eliminates manual intervention, allowing your team to focus on other critical tasks.