AWS WAF new feature: full log support

SC Lin
SC Lin
Sep 2, 2018 · 1 min read

Before today, AWS WAF has two weakness point in my point:
1. Low visibility: Only provides sample log and Cloudwatch rules hit count, then hard to export.
2. Rules: Only provides the low number of rules when need robust protection that’s not enough(compare with enterprise WAF solution such as Citrix Netscaler, F5 ASM, and Imperva)

WAF Rules limit: 10 rules per webACL and only one webACL can attach to per Cloudfront or ALB, so get the limit per website is 20 rules when using Cloudfront and ALB both.

After full log feature release, we get higher visibility than before and monitor them in the SIEM or other monitor tools now!!!
(BTW export method is firehose for real-time, maybe batch to S3 would have the high capacity/IO impact for AWS edge or alb instance(?)

References:

[1] AWS news: https://aws.amazon.com/about-aws/whats-new/2018/08/aws-waf-launches-new-comprehensive-logging-functionality/?nc1=h_ls

[2] AWS WAF limit: https://docs.aws.amazon.com/waf/latest/developerguide/limits.html

[3] Setup AWS WAF full log: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html

SC Lin

Written by

SC Lin

DevOpsSec at senao 🐍python| 👾security| ⛅cloud

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade