AWS::NetworkFirewall::LoggingConfiguration - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples

This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.

AWS::NetworkFirewall::LoggingConfiguration

Use the logging configuration to define the destinations and logging options for an firewall.

You must change the logging configuration by changing one LogDestinationConfig setting at a time in your LogDestinationConfigs.

You can make only one of the following changes to your logging configuration resource:

  • Create a new log destination object by adding a single LogDestinationConfig array element to LogDestinationConfigs.

  • Delete a log destination object by removing a single LogDestinationConfig array element from LogDestinationConfigs.

  • Change the LogDestination setting in a single LogDestinationConfig array element.

You can't change the LogDestinationType or LogType in a LogDestinationConfig. To change these settings, delete the existing LogDestinationConfig object and create a new one, in two separate modifications.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::NetworkFirewall::LoggingConfiguration",
  "Properties" : {
      "EnableMonitoringDashboard" : Boolean,
      "FirewallArn" : String,
      "FirewallName" : String,
      "LoggingConfiguration" : LoggingConfiguration
    }
}

YAML

Type: AWS::NetworkFirewall::LoggingConfiguration
Properties:
  EnableMonitoringDashboard: Boolean
  FirewallArn: String
  FirewallName: String
  LoggingConfiguration: 
    LoggingConfiguration

Properties

EnableMonitoringDashboard

Property description not available.

Required: No

Type: Boolean

Update requires: No interruption

FirewallArn

The Amazon Resource Name (ARN) of the firewallthat the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.

Required: Yes

Type: String

Pattern: ^arn:aws.*$

Minimum: 1

Maximum: 256

Update requires: Replacement

FirewallName

The name of the firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.

Required: No

Type: String

Pattern: ^[a-zA-Z0-9-]+$

Minimum: 1

Maximum: 128

Update requires: Replacement

LoggingConfiguration

Defines how AWS Network Firewall performs logging for a firewall.

Required: Yes

Type: LoggingConfiguration

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall that the logging configuration is associated with. For example:

{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall/myFirewallName" }

For more information about using the Ref function, see Ref.

Examples

Create a logging configuration for CloudWatch Logs and Kinesis Data Firehose

The following shows example logging configuration specifications for alert logs that go to an Amazon CloudWatch Logs log group and flow logs that go to an Amazon Kinesis Data Firehose delivery stream.

JSON

"SampleLoggingConfiguration": {
    "Type": "AWS::NetworkFirewall::LoggingConfiguration",
    "Properties": {
        "FirewallArn": {
            "Ref": "SampleFirewallArn"
        },
        "LoggingConfiguration": {
            "LogDestinationConfigs": [
                {
                    "LogType": "ALERT",
                    "LogDestinationType": "CloudWatchLogs",
                    "LogDestination": {
                        "logGroup": "SampleLogGroup"
                    }
                },
                {
                    "LogType": "FLOW",
                    "LogDestinationType": "KinesisDataFirehose",
                    "LogDestination": {
                        "deliveryStream": "SampleStream"
                    }
                }
            ]
        }
    }
}

YAML

SampleLoggingConfiguration:
  Type: 'AWS::NetworkFirewall::LoggingConfiguration'
  Properties:
    FirewallArn: !Ref SampleFirewallArn
    LoggingConfiguration:
      LogDestinationConfigs:
        - LogType: ALERT
          LogDestinationType: CloudWatchLogs
          LogDestination:
            logGroup: SampleLogGroup
        - LogType: FLOW
          LogDestinationType: KinesisDataFirehose
          LogDestination:
            deliveryStream: SampleStream

Create a logging configuration for Amazon S3

The following shows example logging configuration specifications for flow logs that go to an Amazon S3 bucket.

JSON

"SampleLoggingConfiguration": {
    "Type": "AWS::NetworkFirewall::LoggingConfiguration",
    "Properties": {
        "FirewallArn": {
            "Ref": "SampleFirewallArn"
        },
        "LoggingConfiguration": {
            "LogDestinationConfigs": [
                {
                    "LogType": "FLOW",
                    "LogDestinationType": "S3",
                    "LogDestination": {
                        "bucketName": "sample-bucket-name",
                        "prefix": "sample/s3/prefix"
                    }
                }
            ]
        }
    }
}

YAML

SampleLoggingConfiguration:
  Type: 'AWS::NetworkFirewall::LoggingConfiguration'
  Properties:
    FirewallArn: !Ref SampleFirewallArn
    LoggingConfiguration:
      LogDestinationConfigs:
        - LogType: FLOW
          LogDestinationType: S3
          LogDestination:
            bucketName: sample-bucket-name
            prefix: sample/s3/prefix