AWS WAF

• How it works
• Prerequisites
• Setup Instructions
  • Step 1: Enable WAF Logging
  • Step 2: Configure S3 Destination
  • Step 5: Configure the Source in Datable
• Data Collected
  • Request Details
  • Client Information
  • WAF Evaluation
  • Additional Metadata
• Configuration Options
  • Log Filtering
  • Multiple Web ACLs
  • Regional vs Global
• Troubleshooting
  • No Logs Appearing
  • Incomplete Log Data
  • High Log Volume
  • Permission Errors
• Security Best Practices
  • Access Control
  • Data Protection
  • Monitoring
• Cost Optimization
  • Storage Costs
  • Processing Costs
• Use Cases
  • Security Analytics
  • Compliance
  • Performance Monitoring
• Advanced Configuration
  • Custom Rules Integration
  • Real-time Alerting
• Support

Datable integrates with AWS WAF (Web Application Firewall) to collect and analyze web application security logs, providing insights into blocked and allowed requests, attack patterns, and security rule effectiveness.

How it works

The AWS WAF integration collects logs from your WAF ACLs (Access Control Lists) via Kinesis Data Firehose or S3. These logs contain detailed information about web requests evaluated by your WAF rules.

Prerequisites

• AWS WAF or AWS WAF v2 configured
• WAF logging enabled
• S3 bucket or Kinesis Data Firehose for log delivery
• IAM permissions for accessing logs

Setup Instructions

Step 1: Enable WAF Logging

1. Navigate to AWS WAF in the AWS Console
2. Select your Web ACL
3. Go to the Logging and metrics tab
4. Click Enable logging
5. Choose destination:
   • S3 bucket (recommended for batch processing)
   • Kinesis Data Firehose (for real-time streaming)

Step 2: Configure S3 Destination

1. Create or select an S3 bucket for WAF logs
2. Configure bucket with appropriate retention policies
3. Enable server-side encryption if required
4. Note the bucket name and path prefix

Step 5: Configure the Source in Datable

1. Navigate to the Sources page in Datable
2. Select AWS WAF from the available sources
3. Provide the following configuration:
   • Source Name: A descriptive name
   • Log Source Type: S3 or Kinesis
   • S3 Bucket (if using S3): Bucket name
   • S3 Prefix (optional): Log file prefix
   • AWS Region: Region of your resources
   • Access Key ID and Secret Access Key (or Role ARN)
   • Authentication: Follow instructions to set up IAM user/role with necessary permissions or use existing credentials
4. Click Save to create the source

Data Collected

AWS WAF logs contain comprehensive request information:

Request Details

• Timestamp: When the request was received
• URI: Requested resource path
• HTTP Method: GET, POST, etc.
• HTTP Version: HTTP/1.1, HTTP/2
• Headers: All HTTP headers
• Query String: URL parameters

Client Information

• Client IP: Source IP address
• Country: Geolocation of request
• User Agent: Browser/client information
• HTTP Host: Target hostname

WAF Evaluation

• Action: ALLOW, BLOCK, or COUNT
• Terminating Rule: Rule that stopped evaluation
• Rule Group List: All evaluated rule groups
• Rate Based Rule: Rate limiting information
• Matched Rules: Rules that matched the request

Additional Metadata

• Web ACL ID: Identifier of the WAF ACL
• Request ID: Unique request identifier
• Labels: Custom labels applied by rules

Configuration Options

Log Filtering

Configure filters to reduce log volume:

• Sampling Rate: Log a percentage of requests
• Field Redaction: Remove sensitive fields
• Action Filter: Only log blocked or specific actions

Multiple Web ACLs

Monitor multiple Web ACLs by:

• Configuring all to log to the same destination
• Creating separate sources for each ACL
• Using log prefixes to organize data

Regional vs Global

• Regional WAF: For ALB, API Gateway, AppSync
• CloudFront WAF: Global WAF for CloudFront distributions

Troubleshooting

No Logs Appearing

• Verify WAF logging is enabled
• Check S3 bucket permissions
• Ensure logs are being generated (send test requests)
• Verify IAM credentials have necessary permissions

Incomplete Log Data

• Check if field redaction is enabled
• Verify all rule groups have logging enabled
• Review sampling rate configuration

High Log Volume

• Implement sampling to reduce volume
• Filter unnecessary log fields
• Consider archiving older logs to Glacier

Permission Errors

• Review IAM policy permissions
• Check S3 bucket policy
• Verify KMS permissions if encryption is used

Security Best Practices

Access Control

• Use least privilege IAM policies
• Enable MFA for sensitive operations
• Rotate access keys regularly
• Use IAM roles when possible

Data Protection

• Encrypt logs at rest and in transit
• Redact sensitive data fields
• Implement log retention policies
• Use VPC endpoints for private connectivity

Monitoring

• Set up alerts for suspicious patterns
• Monitor blocked request rates
• Track changes to WAF rules
• Review false positive rates

Cost Optimization

Storage Costs

• Use S3 lifecycle policies
• Compress logs when possible
• Archive old logs to Glacier
• Delete logs after retention period

Processing Costs

• Implement log sampling
• Filter unnecessary fields
• Batch process logs efficiently
• Use appropriate instance sizes

Use Cases

Security Analytics

• Identify attack patterns
• Track threat actors
• Analyze blocked requests
• Monitor security rule effectiveness

Compliance

• Maintain audit trails
• Demonstrate security controls
• Meet regulatory requirements
• Generate compliance reports

Performance Monitoring

• Track request patterns
• Identify geographic distribution
• Monitor response times
• Analyze traffic trends

Advanced Configuration

Custom Rules Integration

• Integrate custom rule evaluations
• Track business logic rules
• Monitor application-specific patterns

Real-time Alerting

• Configure alerts for critical blocks
• Detect DDoS attempts
• Monitor rate limiting triggers
• Track geographic anomalies

Support

For additional support with the AWS WAF integration, please contact the Datable support team or refer to the AWS WAF documentation.