Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AWS WAF Logging Configured Policy #1393

Merged
merged 4 commits into from
Oct 22, 2024
Merged

Add AWS WAF Logging Configured Policy #1393

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2618b1c
Add AWS WAF Logging Configured Policy
Oct 20, 2024
fc3943a
Merge branch 'develop' into bp/waf-logging
arielkr256 Oct 22, 2024
621196c
Merge branch 'develop' into bp/waf-logging
arielkr256 Oct 22, 2024
d5ba6eb
add to pack
arielkr256 Oct 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions packs/aws.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ PackDefinition:
- AWS.VPC.FlowLogs
- AWS.WAF.Disassociation
- AWS.WAF.HasXSSPredicate
- AWS.WAF.LoggingConfigured
# Other rules
- AWS.CloudTrail.Account.Discovery
- AWS.CloudTrail.CloudWatchLogs
Expand Down
29 changes: 29 additions & 0 deletions policies/aws_waf_policies/aws_waf_logging_configured.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
def is_valid_arn(arn, service):
if service == "logs":
return arn.startswith("arn:aws:logs:") and ":log-group:" in arn
if service == "s3":
return arn.startswith("arn:aws:s3:::") and len(arn.split(":")) == 6
if service == "firehose":
return arn.startswith("arn:aws:firehose:") and ":deliverystream/" in arn
return False


def policy(resource):
# Check if WAF logging configuration exists
logging_config = resource.get("LoggingConfiguration")
if not logging_config:
return False

# Get the logging destinations
destinations = logging_config.get("LogDestinationConfigs", [])

# Validate the ARNs for CloudWatch Logs, S3, or Kinesis Firehose
for destination in destinations:
if (
is_valid_arn(destination, "logs")
or is_valid_arn(destination, "s3")
or is_valid_arn(destination, "firehose")
):
return True

return False
91 changes: 91 additions & 0 deletions policies/aws_waf_policies/aws_waf_logging_configured.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
AnalysisType: policy
Filename: aws_waf_logging_configured.py
PolicyID: "AWS.WAF.LoggingConfigured"
DisplayName: "AWS WAF Logging Configured"
Enabled: true
ResourceTypes:
- AWS.WAF.Regional.WebACL
- AWS.WAF.WebACL
Tags:
- AWS
- Monitoring
- Logging
- Security Control
- Defense Evasion:Impair Defenses
Reports:
PCI:
- 10.5.5
MITRE ATT&CK:
- TA0005:T1562
Severity: High
Description: >
Ensures that AWS WAF logging is enabled and that the logs are being sent to a valid destination (S3, CloudWatch, or Kinesis Firehose). Without logging, visibility into WAF activity is severely limited, increasing the risk of undetected attacks.
Runbook: >
Ensure AWS WAF logging is configured to at least one valid destination such as an Amazon S3 bucket, Amazon CloudWatch Logs, or Amazon Kinesis Data Firehose. Refer to the AWS WAF logging documentation for setup instructions.
Reference: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
Tests:
- Name: WAF Logging Configured to CloudWatch Logs
ExpectedResult: true
Resource:
LoggingConfiguration:
LogDestinationConfigs:
- "arn:aws:logs:us-west-2:123456789012:log-group:example-log-group"
RedactedFields: null

- Name: WAF Logging Configured to S3
ExpectedResult: true
Resource:
LoggingConfiguration:
LogDestinationConfigs:
- "arn:aws:s3:::example-bucket/waf-logs/"
RedactedFields: null

- Name: WAF Logging Configured to Kinesis Firehose
ExpectedResult: true
Resource:
LoggingConfiguration:
LogDestinationConfigs:
- "arn:aws:firehose:us-west-2:123456789012:deliverystream/example-firehose"
RedactedFields: null

- Name: WAF Logging Not Configured
ExpectedResult: false
Resource:
LoggingConfiguration: null

# Edge Case 1: Malformed CloudWatch Logs ARN
- Name: WAF Logging Configured with Malformed CloudWatch Logs ARN
ExpectedResult: false
Resource:
LoggingConfiguration:
LogDestinationConfigs:
- "arn:aws:logs:us-west-2:123456789012" # Incorrect ARN format
RedactedFields: null

# Edge Case 2: Malformed S3 ARN
- Name: WAF Logging Configured with Malformed S3 ARN
ExpectedResult: false
Resource:
LoggingConfiguration:
LogDestinationConfigs:
- "arn:aws:s3::example-bucket-wrong-format" # Incorrect ARN format
RedactedFields: null

# Edge Case 3: Multiple Valid Logging Destinations (S3 and Kinesis Firehose)
- Name: WAF Logging Configured to Both S3 and Kinesis Firehose
ExpectedResult: true
Resource:
LoggingConfiguration:
LogDestinationConfigs:
- "arn:aws:s3:::example-bucket/waf-logs/"
- "arn:aws:firehose:us-west-2:123456789012:deliverystream/example-firehose"
RedactedFields: null

# Edge Case 4: Malformed Kinesis Firehose ARN
- Name: WAF Logging Configured with Malformed Kinesis Firehose ARN
ExpectedResult: false
Resource:
LoggingConfiguration:
LogDestinationConfigs:
- "arn:aws:firehose:us-west-2" # Incorrect ARN format
RedactedFields: null
Loading