AWS::NetworkFirewall::LoggingConfiguration - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples

AWS::NetworkFirewall::LoggingConfiguration

Use the AWS::NetworkFirewall::LoggingConfiguration to define the destinations and logging options for an AWS::NetworkFirewall::Firewall.

You must change the logging configuration by changing one LogDestinationConfig setting at a time in your LogDestinationConfigs.

You can make only one of the following changes to your AWS::NetworkFirewall::LoggingConfiguration resource:

  • Create a new log destination object by adding a single LogDestinationConfig array element to LogDestinationConfigs.

  • Delete a log destination object by removing a single LogDestinationConfig array element from LogDestinationConfigs.

  • Change the LogDestination setting in a single LogDestinationConfig array element.

You can't change the LogDestinationType or LogType in a LogDestinationConfig. To change these settings, delete the existing LogDestinationConfig object and create a new one, in two separate modifications.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::NetworkFirewall::LoggingConfiguration",
  "Properties" : {
      "FirewallArn" : String,
      "FirewallName" : String,
      "LoggingConfiguration" : LoggingConfiguration
    }
}

YAML

Type: AWS::NetworkFirewall::LoggingConfiguration
Properties:
  FirewallArn: String
  FirewallName: String
  LoggingConfiguration: 
    LoggingConfiguration

Properties

FirewallArn

The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::Firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.

Required: Yes

Type: String

Pattern: ^arn:aws.*$

Minimum: 1

Maximum: 256

Update requires: Replacement

FirewallName

The name of the firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.

Required: No

Type: String

Pattern: ^[a-zA-Z0-9-]+$

Minimum: 1

Maximum: 128

Update requires: Replacement

LoggingConfiguration

Defines how AWS Network Firewall performs logging for a AWS::NetworkFirewall::Firewall.

Required: Yes

Type: LoggingConfiguration

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall that the logging configuration is associated with. For example:

{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall/myFirewallName" }

For more information about using the Ref function, see Ref.

Examples

Create a logging configuration for CloudWatch Logs and Kinesis Data Firehose

The following shows example logging configuration specifications for alert logs that go to an Amazon CloudWatch Logs log group and flow logs that go to an Amazon Kinesis Data Firehose delivery stream.

JSON

"SampleLoggingConfiguration": {
    "Type": "AWS::NetworkFirewall::LoggingConfiguration",
    "Properties": {
        "FirewallArn": {
            "Ref": "SampleFirewallArn"
        },
        "LoggingConfiguration": {
            "LogDestinationConfigs": [
                {
                    "LogType": "ALERT",
                    "LogDestinationType": "CloudWatchLogs",
                    "LogDestination": {
                        "logGroup": "SampleLogGroup"
                    }
                },
                {
                    "LogType": "FLOW",
                    "LogDestinationType": "KinesisDataFirehose",
                    "LogDestination": {
                        "deliveryStream": "SampleStream"
                    }
                }
            ]
        }
    }
}

YAML

SampleLoggingConfiguration:
  Type: 'AWS::NetworkFirewall::LoggingConfiguration'
  Properties:
    FirewallArn: !Ref SampleFirewallArn
    LoggingConfiguration:
      LogDestinationConfigs:
        - LogType: ALERT
          LogDestinationType: CloudWatchLogs
          LogDestination:
            logGroup: SampleLogGroup
        - LogType: FLOW
          LogDestinationType: KinesisDataFirehose
          LogDestination:
            deliveryStream: SampleStream

Create a logging configuration for Amazon S3

The following shows example logging configuration specifications for flow logs that go to an Amazon S3 bucket.

JSON

"SampleLoggingConfiguration": {
    "Type": "AWS::NetworkFirewall::LoggingConfiguration",
    "Properties": {
        "FirewallArn": {
            "Ref": "SampleFirewallArn"
        },
        "LoggingConfiguration": {
            "LogDestinationConfigs": [
                {
                    "LogType": "FLOW",
                    "LogDestinationType": "S3",
                    "LogDestination": {
                        "bucketName": "sample-bucket-name",
                        "prefix": "sample/s3/prefix"
                    }
                }
            ]
        }
    }
}

YAML

SampleLoggingConfiguration:
  Type: 'AWS::NetworkFirewall::LoggingConfiguration'
  Properties:
    FirewallArn: !Ref SampleFirewallArn
    LoggingConfiguration:
      LogDestinationConfigs:
        - LogType: FLOW
          LogDestinationType: S3
          LogDestination:
            bucketName: sample-bucket-name
            prefix: sample/s3/prefix