AWS WAFv2 Web ACL has Amazon CloudWatch metrics enabled for all rules and rule groups
wafv2_webacl_rule_logging_enabled
AWS WAFv2 Web ACLs are assessed to confirm that every associated rule and rule group has CloudWatch metrics enabled for visibility into rule evaluations and traffic
Risk
Absent CloudWatch metrics, WAF telemetry is lost, masking spikes, rule bypasses, and misconfigurations. This delays detection of SQLi/XSS probes and bot floods, risking data confidentiality, request integrity, and application availability.
prowler aws --checks wafv2_webacl_rule_logging_enabled
Recommendation
Enable CloudWatch metrics for all WAF rules and rule groups (including managed rule groups). Use consistent metric names, centralize dashboards and alerts, and review trends to validate rule efficacy. Integrate with a SIEM for defense in depth and tune rules based on telemetry.
Remediation
- In AWS Console, go to AWS WAF & Shield > Web ACLs, select the Web ACL
- Open the Rules tab, edit each rule, and enable CloudWatch metrics (Visibility configuration > CloudWatch metrics enabled), then Save
- For rule groups: go to AWS WAF & Shield > Rule groups, select the rule group, edit Visibility configuration, enable CloudWatch metrics, then Save
Source Code
Resource Type
AwsWafv2WebAcl
References
- https://support.icompaas.com/support/solutions/articles/62000233644-ensure-aws-wafv2-webacl-rule-or-rule-group-has-amazon-cloudwatch-metrics-enabled
- https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-12