Amazon Kinesis Data Firehose - AWS Network Firewall

Amazon Kinesis Data Firehose

To send logs to Amazon Kinesis Data Firehose, you first need to set up a Firehose delivery stream. As part of that process, you choose a destination for storing your logs. After you enable logging for your firewall, AWS Network Firewall delivers logs to the destination through the HTTPS endpoint of Amazon Kinesis Data Firehose. One AWS Network Firewall log corresponds to one Amazon Kinesis Data Firehose record.

Configure an Amazon Kinesis Data Firehose delivery stream for your firewall as follows.

  • Create it using the same account as you use to manage the firewall.

  • Create it in the same Region as the firewall.

  • Configure it for direct put, which allows applications to access the delivery stream directly. In the Amazon Kinesis Data Firehose console, for the delivery stream Source setting, choose Direct PUT or other sources. Through the API, set the delivery stream property DeliveryStreamType to DirectPut.

For information about how to create an Amazon Kinesis Data Firehose delivery stream and review the stored logs, see Creating an Amazon Kinesis Data Firehose delivery stream and What is Amazon Kinesis Data Firehose?

When you successfully enable logging to an Amazon Kinesis Data Firehose data stream, Network Firewall creates a service linked role with the necessary permissions to write logs to it. For more information, see Using service-linked roles for Network Firewall For more information about service-linked roles, see Using service-linked roles for Network Firewall.

Permissions to publish logs to Amazon Kinesis Data Firehose

You must have the following permissions to configure your firewall to send logs to an Amazon Kinesis Data Firehose delivery stream.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" }, { "Sid": "FirewallLoggingFH", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "FirewallLoggingFH", "Action": [ "firehose:TagDeliveryStream" ], "Resource": "Amazon Kinesis Data Firehose delivery stream ARN", "Effect": "Allow" } ] }