Topics Discussed
To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
You can use this document to collect and send AWS WAF Classic logs to Armor's Security Information & Event Management (SIEM).
Pre-Deployment Considerations
Before you begin, review the following requirements:
AMP Permissions
Your Armor Management Portal (AMP) account must have the following permissions:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
To learn more about permissions in AMP, see Roles and Permissions.
Log Relay
For remote log collection, you must have a Log Relay server on your account.
- To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection.
AWS Account Permissions (Policies)
Your AWS service account must have full access to AWS CloudWatch.
Your individual AWS user account must have full access to the following AWS features:
- AWS WAF
- AWS Lambda
- AWS CloudWatch
- AWS CloudFormation
Web ACL
To ingest logs from an AWS WAF, you must first configure a Web ACL.
- To learn how to create a Web ACL, see AWS's documentation site.
Armor does not provide support for using AWS CloudFormation to set up AWS WAF resources in AWS GovCloud (US).
Configure the AWS WAF CloudFormation Stack Template
You can use these instructions to collect and send logs from a single Web ACL.
- Login into the AWS console.
- Go to the CloudFormation service.
- Click Create stack.
Verify Connection in AMP
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management, and then select Search.
- In the Source column, review the source name to locate the newly created AWS WAF remote log source.
- In the search field, you can also enter "webaclid" to locate AWS WAF messages.
Troubleshooting
If you are having issues adding a remote collector to an AWS WAF remote device, consider that:
- You do not have proper permissions in AWS.
- You entered the AWS account information for an incorrect AWS service account.
- If you have multiple AWS accounts, especially child or organization accounts, you must verify that you added the service account information for the correct service account
Edit a Stack
This section only applies to single stacks, not stack sets.
Currently, Armor's AWS CloudFormation template does not support updates. If you want to update your stack, then you must delete the remote log source, and then create a new one with your desired updates.
Was this helpful?
Your Rating: |
![]() ![]() ![]() ![]() ![]() |
Results: |
![]() ![]() ![]() ![]() ![]() |
12 | rates |