Control: 12 AWS WAF rules should have CloudWatch metrics enabled
Description
This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled.
Configuring CloudWatch metrics on AWS WAF rules and rule groups provides visibility into traffic flow. You can see which ACL rules are triggered and which requests are accepted and blocked. This visibility can help you identify malicious activity on your associated resources.
Remediation
To enable CloudWatch metrics on an AWS WAF rule group, invoke the UpdateRuleGroup API. To enable CloudWatch metrics on an AWS WAF rule, invoke the UpdateWebACL API. Set the CloudWatchMetricsEnabled field to true. When you use the AWS WAF console to create rules or rule groups, CloudWatch metrics are automatically enabled.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_waf_12
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_waf_12 --share
SQL
This control uses a named query:
wafv2_rule_group_logging_enabled