How to view AWS WAF event logs?
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load Balancer.
AWS WAF also lets you control access to your content.
Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden).
WAF can take below 3 decision
- Allow
- Block
- Count
Now the challenge is how to analyse which requests are allowed and blocked from AWS WAF. ?
Normally AWS WAF does not create any event log details to store in S3 or other place ,like ELB access logs.So its very
difficult , we can say no way to analyse the logs for security purpose.
Maximum you can track for 3 hours also in same AWS WAF console.By choosing each rule sample separately .
Also when a rule contains multiple filters , when some requests is get blocked its very difficult to identify which filter
match and request get blocked.
Cloud trail can only track API requests to the AWS WAF . Not on the request dealt by WAF.
Apart from that AWS WAF is good product to use with other AWS services like ELB rather than using third party product.
No performance issue when implementing WAF with ELB .
Hopefully Amazon will come with some solution soon.!