Monitoring and visibility - Guidelines for Implementing AWS WAF
Monitoring bot traffic with AWS Bot Control dashboardMonitoring using Amazon CloudWatch

Monitoring and visibility

It is important for operating your WAF implementation to have good visibility of what is being blocked by your web ACL. This visibility is useful for threat intelligence, hardening rules, troubleshooting false positives, and responding to an incident. There are multiple monitoring options available with AWS WAF.

Monitoring bot traffic with AWS Bot Control dashboard

AWS WAF Bot Control provides a dashboard to view all bot-related details in a single view. This includes information about the number of bot and non-bot requests, bot categorization, and whether the bot traffic was allowed or blocked. This dashboard also provides the ability to query bot activity.

Screen capture of the Bot Control dashboard

Bot Control dashboard

Monitoring using Amazon CloudWatch

You can set up a dashboard for AWS WAF to display information about the activity of rules in your web ACL. For each rule, CloudWatch emits near-real-time metrics such as AllowedRequests, BlockedRequests, and PassedRequests, which are recorded for a period of two weeks. The following image is an example of what you can easily set up with CloudWatch to display real-time and historical information about how your web ACL is protecting your application. You can set up alarms on CloudWatch metrics to receive notifications when a certain WAF rule is abnormally triggered based on predefined thresholds.

Screen shot of a Security dashboard using CloudWatch

Security dashboard using CloudWatch

However, CloudWatch doesn’t provide you with information about the processed requests themselves. If you need to get more details more about inspected requests, you have two options:

  • View a sample of the WAF log in the WAF console – For each sampled request, you can view detailed data about the request, such as the originating IP address and the headers included in the request. With this approach, you can quickly debug false positives in a staging environment. The sampled request works by randomly fetching 5,000 requests that the web ACL has processed over the time period that you chose (up to the previous three hours).

  • Enable and process AWS WAF logs for full and detailed information – This approach is more suitable, for deeper troubleshooting in a production environment. For each request, AWS WAF logs provide raw HTTP(S) headers along with information on which rules were triggered. AWS WAF logs provide the exact patterns that initiated SQLi and XSS rules in the terminatingRuleMatchDetails field. AWS WAF logs are ingested using Amazon Data Firehose and can be delivered in JSON format to multiple destinations, including Amazon Simple Storage Service (Amazon S3). AWS recommends this approach for all production workloads for the best visibility and troubleshooting.

It’s common to build custom dashboards based on AWS WAF logs, to provide a near- real-time global view of your application security, and deep dive into request details when needed. With AWS WAF logs, you can build your own dashboard using AWS or third-party services. If you are already using third-party monitoring services such as Splunk, Datadog, or Sumo Logic, you can export WAF logs to these services. For example, Sumo Logic has a template to create a dashboard for examining WAF logs.