Class CfnLoggingConfiguration
- All Implemented Interfaces:
IConstruct
,IDependable
,IInspectable
,software.amazon.jsii.JsiiSerializable
,software.constructs.IConstruct
AWS::WAFv2::LoggingConfiguration
.
Defines an association between logging destinations and a web ACL resource, for logging from AWS WAF . As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records.
You can define one logging destination per web ACL.
You can access information about the traffic that AWS WAF inspects using the following steps:
- Create your logging destination. You can use an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose.
The name that you give the destination must start with aws-waf-logs-
. Depending on the type of destination, you might need to configure additional settings or permissions.
For configuration requirements and pricing information for each destination type, see Logging web ACL traffic in the AWS WAF Developer Guide .
- Associate your logging destination to your web ACL using a
PutLoggingConfiguration
request.
When you successfully enable logging using a PutLoggingConfiguration
request, AWS WAF creates an additional role or policy that is required to write logs to the logging destination. For an Amazon CloudWatch Logs log group, AWS WAF creates a resource policy on the log group. For an Amazon S3 bucket, AWS WAF creates a bucket policy. For an Amazon Kinesis Data Firehose, AWS WAF creates a service-linked role.
For additional information about web ACL logging, see Logging web ACL traffic information in the AWS WAF Developer Guide .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import software.amazon.awscdk.services.wafv2.*; Object jsonBody; Object loggingFilter; Object method; Object queryString; Object singleHeader; Object uriPath; CfnLoggingConfiguration cfnLoggingConfiguration = CfnLoggingConfiguration.Builder.create(this, "MyCfnLoggingConfiguration") .logDestinationConfigs(List.of("logDestinationConfigs")) .resourceArn("resourceArn") // the properties below are optional .loggingFilter(loggingFilter) .redactedFields(List.of(FieldToMatchProperty.builder() .jsonBody(jsonBody) .method(method) .queryString(queryString) .singleHeader(singleHeader) .uriPath(uriPath) .build())) .build();
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic interface
A single action condition for a condition in a logging filter.static final class
A fluent builder forCfnLoggingConfiguration
.static interface
A single match condition for a log filter.static interface
The parts of the request that you want to keep out of the logs.static interface
A single logging filter, used inLoggingFilter
.static interface
Inspect the body of the web request as JSON.static interface
A single label name condition for a condition in a logging filter.static interface
Filtering that specifies which web requests are kept in the logs and which are dropped, defined for a web ACL'sLoggingConfiguration
.static interface
The patterns to look for in the JSON body.static interface
Inspect one of the headers in the web request, identified by name, for example,User-Agent
orReferer
.Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IConstruct
IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IInspectable
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
The CloudFormation resource type name for this resource class. -
Constructor Summary
ModifierConstructorDescriptionCfnLoggingConfiguration
(Construct scope, String id, CfnLoggingConfigurationProps props) Create a newAWS::WAFv2::LoggingConfiguration
.protected
CfnLoggingConfiguration
(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protected
CfnLoggingConfiguration
(software.amazon.jsii.JsiiObjectRef objRef) -
Method Summary
Modifier and TypeMethodDescriptionIndicates whether the logging configuration was created by AWS Firewall Manager , as part of an AWS WAF policy configuration.The logging destination configuration that you want to associate with the web ACL.Filtering that specifies which web requests are kept in the logs and which are dropped.The parts of the request that you want to keep out of the logs.The Amazon Resource Name (ARN) of the web ACL that you want to associate withLogDestinationConfigs
.void
inspect
(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.renderProperties
(Map<String, Object> props) void
setLogDestinationConfigs
(List<String> value) The logging destination configuration that you want to associate with the web ACL.void
setLoggingFilter
(Object value) Filtering that specifies which web requests are kept in the logs and which are dropped.void
setRedactedFields
(List<Object> value) The parts of the request that you want to keep out of the logs.void
setRedactedFields
(IResolvable value) The parts of the request that you want to keep out of the logs.void
setResourceArn
(String value) The Amazon Resource Name (ARN) of the web ACL that you want to associate withLogDestinationConfigs
.Methods inherited from class software.amazon.awscdk.core.CfnResource
addDeletionOverride, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, isCfnResource, shouldSynthesize, toString, validateProperties
Methods inherited from class software.amazon.awscdk.core.CfnRefElement
getRef
Methods inherited from class software.amazon.awscdk.core.CfnElement
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
Methods inherited from class software.amazon.awscdk.core.Construct
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate
Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Field Details
-
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
-
-
Constructor Details
-
CfnLoggingConfiguration
protected CfnLoggingConfiguration(software.amazon.jsii.JsiiObjectRef objRef) -
CfnLoggingConfiguration
protected CfnLoggingConfiguration(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
CfnLoggingConfiguration
@Stability(Stable) public CfnLoggingConfiguration(@NotNull Construct scope, @NotNull String id, @NotNull CfnLoggingConfigurationProps props) Create a newAWS::WAFv2::LoggingConfiguration
.- Parameters:
scope
-- scope in which this resource is defined.
id
-- scoped id of the resource.
props
-- resource properties.
-
-
Method Details
-
inspect
Examines the CloudFormation resource and discloses attributes.- Specified by:
inspect
in interfaceIInspectable
- Parameters:
inspector
-- tree inspector to collect and process attributes.
-
renderProperties
@Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String, Object> props) - Overrides:
renderProperties
in classCfnResource
- Parameters:
props
- This parameter is required.
-
getAttrManagedByFirewallManager
Indicates whether the logging configuration was created by AWS Firewall Manager , as part of an AWS WAF policy configuration.If true, only Firewall Manager can modify or delete the configuration.
-
getCfnProperties
- Overrides:
getCfnProperties
in classCfnResource
-
getLogDestinationConfigs
The logging destination configuration that you want to associate with the web ACL.You can associate one logging destination to a web ACL.
-
setLogDestinationConfigs
The logging destination configuration that you want to associate with the web ACL.You can associate one logging destination to a web ACL.
-
getLoggingFilter
Filtering that specifies which web requests are kept in the logs and which are dropped.You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.
-
setLoggingFilter
Filtering that specifies which web requests are kept in the logs and which are dropped.You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.
-
getResourceArn
The Amazon Resource Name (ARN) of the web ACL that you want to associate withLogDestinationConfigs
. -
setResourceArn
The Amazon Resource Name (ARN) of the web ACL that you want to associate withLogDestinationConfigs
. -
getRedactedFields
The parts of the request that you want to keep out of the logs.For example, if you redact the
SingleHeader
field, theHEADER
field in the logs will beREDACTED
for all rules that use theSingleHeader
FieldToMatch
setting.Redaction applies only to the component that's specified in the rule's
FieldToMatch
setting, so theSingleHeader
redaction doesn't apply to rules that use theHeaders
FieldToMatch
.You can specify only the following fields for redaction:
UriPath
,QueryString
,SingleHeader
, andMethod
. -
setRedactedFields
The parts of the request that you want to keep out of the logs.For example, if you redact the
SingleHeader
field, theHEADER
field in the logs will beREDACTED
for all rules that use theSingleHeader
FieldToMatch
setting.Redaction applies only to the component that's specified in the rule's
FieldToMatch
setting, so theSingleHeader
redaction doesn't apply to rules that use theHeaders
FieldToMatch
.You can specify only the following fields for redaction:
UriPath
,QueryString
,SingleHeader
, andMethod
. -
setRedactedFields
The parts of the request that you want to keep out of the logs.For example, if you redact the
SingleHeader
field, theHEADER
field in the logs will beREDACTED
for all rules that use theSingleHeader
FieldToMatch
setting.Redaction applies only to the component that's specified in the rule's
FieldToMatch
setting, so theSingleHeader
redaction doesn't apply to rules that use theHeaders
FieldToMatch
.You can specify only the following fields for redaction:
UriPath
,QueryString
,SingleHeader
, andMethod
.
-