wafv2-rulegroup-logging-enabled

Checks if Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.

Context: AWS WAFV2 (Web Application Firewall version 2) allows you to create AWS WAF rules to protect your web applications from common web exploits and vulnerabilities. An AWS WAF rule group is a collection of AWS WAF rules that you can associate with a web ACL (Access Control List) to define the desired behavior for your web application traffic. For more information, see AWS WAF rules and Rule groups in the AWS WAF Developer Guide.

By configuring CloudWatch security metrics collection on AWS WAFV2 rules group, you can monitor security metrics such as successful or failed Distributed denial of service (DDoS), SQL injection, and Cross-site scripting (XSS) attacks. The security metrics collected can help you simplify your investigations.

Note

If there are no AWS WAF rules in the AWS WAFV2 rule group for the AWS Config managed rule to check, the AWS Config managed rule returns NON_APPLICABLE.

Identifier: WAFV2_RULEGROUP_LOGGING_ENABLED

Resource Types: AWS::WAFv2::RuleGroup

Trigger type: Configuration changes

AWS Region: All supported AWS regions except US ISO West, US ISO East, Asia Pacific (Malaysia), US ISOB East, AWS GovCloud (US-East), AWS GovCloud (US-West), Canada West (Calgary) Region

Parameters:

None

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

wafv2-logging-enabled

wafv2-rulegroup-not-empty