# Logging network traffic from AWS Network Firewall Logging network traffic You can configure AWS Network Firewall logging for your firewall's stateful engine. Logging gives you detailed information about network traffic, including the time that the stateful engine received a packet, detailed information about the packet, and any stateful rule action taken against the packet. The logs are published to the log destination that you've configured, where you can retrieve and view them. **Note** Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, see [Firewall policy settings in AWS Network Firewall](firewall-policy-settings.md) and [Defining rule actions in AWS Network Firewall](rule-action.md). Metrics provide some higher-level information for both stateless and stateful engine types. For more information, see [AWS Network Firewall metrics in Amazon CloudWatch](monitoring-cloudwatch.md). You can record the following types of logs from your Network Firewall stateful engine. + Flow logs are standard network traffic flow logs. + Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions `DROP`, `ALERT`, and `REJECT`. For more information, see [Actions for stateful rules](rule-action.md#rule-action-stateful). + TLS logs report events that are related to TLS inspection. These logs require the firewall to be configured for TLS inspection. For information, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md). You can use the same or different logging destination for each log type. You enable logging for a firewall after you create it. For information about how to do this, see [Updating a AWS Network Firewall logging configuration](firewall-update-logging-configuration.md). **Topics** + [ # Contents of a AWS Network Firewall log ](firewall-logging-contents.md) + [ # Timing of AWS Network Firewall log delivery ](firewall-logging-timing.md) + [ # Permissions to configure AWS Network Firewall logging ](firewall-logging-permissions.md) + [ # Pricing for AWS Network Firewall logging ](firewall-logging-pricing.md) + [ # AWS Network Firewall logging destinations ](firewall-logging-destinations.md) + [ # Logging in AWS Network Firewall with server-side encryption and customer-provided keys ](firewall-logging-encrypt-kms.md) + [ # Updating a AWS Network Firewall logging configuration ](firewall-update-logging-configuration.md) # Contents of a AWS Network Firewall log Contents of a Network Firewall logNew `tls_inspected` flag Network Firewall now adds a `tls_inspected` field to firewall logs to indicate when there's TLS traffic flowing across a firewall that's enabled with TLS inspection. The Network Firewall logs contain the following information: + **firewall\$1name** – The name of the firewall that's associated with the log entry. + **availability\$1zone** – The Availability Zone of the firewall endpoint that generated the log entry. + **event\$1timestamp** – The time that the log was created, written in epoch seconds at Coordinated Universal Time (UTC). + **aws\$1category ** – For rules using URL or Domain Category filtering, contains the matched categories in JSON array format. For example, ["Search Engines and Portals"] or ["Technology and Internet"]. + **event** – Detailed information about the event. This information includes the event timestamp converted to human readable format, event type, network packet details, and, if applicable, details about the stateful rule that the packet matched against. + **Alert and flow events** – Alert and flow events are produced by Suricata, the open source threat detection engine that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format, with the exception of the AWS managed `tls_inspected` attribute. + Flow log events use the EVE output type `netflow`. The log type `netflow` logs uni-directional flows, so each event represents traffic going in a single direction. + Alert log events using the EVE output type `alert`. + If the firewall that's associated with the log uses TLS inspection and the firewall's traffic uses SSL/TLS, Network Firewall adds the custom field `"tls_inspected": true` to the log. If your firewall doesn't use TLS inspection, Network Firewall omits this field. For detailed information about these Suricata events, see [EVE JSON Output](https://docs.suricata.io/en/suricata-7.0.8/output/eve/eve-json-output.html?highlight=EVE) in the [Suricata User Guide](https://docs.suricata.io/en/suricata-7.0.8/index.html). + **TLS events** – TLS events are produced by a dedicated stateful TLS engine, which is separate from Suricata. TLS events have the output type `tls`. The logs have a JSON structure that's similar to the Suricata EVE output. These events require the firewall to be configured for TLS inspection. For information, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md). TLS logs report the following types of errors: + TLS errors, with the custom field `"tls_error":` containing the error details. Currently, this category includes Server Name Indication (SNI) mismatches and SNI naming errors. Typically these errors are caused by problems with customer traffic or with the customer's client or server. For example, errors caused when the client hello SNI is NULL or doesn't match the subject name in the server certificate. + Revocation check errors, with the custom field `"revocation_check":` containing the check failure details. These report outbound traffic that fails the server certificate revocation check during TLS inspection. This requires the firewall to be configured with TLS inspection for outbound traffic, and for the TLS inspection to be configured to check the certificate revocation status. The logs include the revocation check status, the action taken, and the SNI that the revocation check was for. For information about configuring certificate revocation checking, see [Using SSL/TLS certificates with TLS inspection configurations in AWS Network Firewall](tls-inspection-certificate-requirements.md). For detailed information about these Suricata events, see [EVE JSON Output](https://docs.suricata.io/en/suricata-7.0.8/output/eve/eve-json-output.html?highlight=EVE) in the [Suricata User Guide](https://docs.suricata.io/en/suricata-7.0.8/index.html). **Example alert log entry** The following listing shows an example alert log entry for Network Firewall. ``` { "firewall_name":"test-firewall", "availability_zone":"us-east-1b", "event_timestamp":"1602627001", "event":{ "timestamp":"2020-10-13T22:10:01.006481+0000", "flow_id":1582438383425873, "event_type":"alert", "src_ip":"203.0.113.4", "src_port":55555, "dest_ip":"192.0.2.16", "dest_port":111, "proto":"TCP", "alert":{ "action":"allowed", "signature_id":5, "rev":0, "signature":"test_tcp", "category":"", "severity":1 } } } ``` **Example alert log entry with URL and Domain Category enabled** ``` { "firewall_name": "test-firewall", "availability_zone": "us-east-1b", "event_timestamp": "1762217722", "event": { "aws_category": "[\"Search Engines and Portals\"]", "tx_id": 2, "app_proto": "http2", "src_ip": "10.0.100.55", "src_port": 54878, "event_type": "alert", "alert": { "severity": 3, "signature_id": 6, "rev": 0, "signature": "", "action": "blocked", "category": "" }, "flow_id": 643336554233439, "dest_ip": "64.233.180.147", "proto": "TCP", "verdict": { "action": "drop" }, "http": { "version": "2", "request_headers": [{ "name": ":method", "value": "GET" }, { "name": ":scheme", "value": "https" }, { "name": ":authority", "value": "www.google.com" }, { "name": ":path", "value": "/" }, { "name": "user-agent", "value": "curl/8.11.1" }, { "name": "accept", "value": "*/*" }], "http_user_agent": "curl/8.11.1", "url": "/", "http_method": "GET", "http2": { "stream_id": 1, "request": {}, "response": {} } }, "dest_port": 443, "timestamp": "2025-12-31T00:55:22.870721+0000", "direction": "to_server" } } ``` **Example TLS log entry** The following listing shows an example TLS log entry for a failed certificate revocation check. ``` { "firewall_name": "egress-fw", "availability_zone": "us-east-1d", "event_timestamp": 1708361189, "event": { "src_ip": "10.0.2.53", "src_port": "55930", "revocation_check": { "leaf_cert_fpr": "1234567890EXAMPLE0987654321", "status": "REVOKED", "action": "DROP" }, "dest_ip": "54.92.160.72", "dest_port": "443", "timestamp": "2024-02-19T16:46:29.441824Z", "sni": "revoked-rsa-dv.ssl.com" } } ``` **Example TLS log entry with URL and Domain Category enabled** ``` { "firewall_name": "test-firewall", "availability_zone": "us-east-1b", "event_timestamp": "1763508615", "event": { "aws_category": "[\"Technology and Internet\"]", "tx_id": 0, "app_proto": "tls", "src_ip": "10.0.100.55", "src_port": 44474, "event_type": "alert", "alert": { "severity": 3, "signature_id": 6, "rev": 0, "signature": "", "action": "blocked", "category": "" }, "flow_id": 1972143099170468, "dest_ip": "192.178.155.113", "proto": "TCP", "verdict": { "action": "drop" }, "tls": { "sni": "developers.google.com", "version": "UNDETERMINED" }, "dest_port": 443, "pkt_src": "geneve encapsulation", "timestamp": "2025-11-18T23:30:15.006867+0000", "direction": "to_server" } } ``` # Timing of AWS Network Firewall log delivery Timing of log delivery A log file or log stream generally contains information about the requests that your firewall received during a given time period. The timing of Network Firewall log delivery varies by location type, averaging 3-6 minutes for Amazon CloudWatch Logs and Amazon Data Firehose and 8-12 minutes for Amazon Simple Storage Service buckets. In some cases, logs may take longer than these averages. When log entries are delayed, Network Firewall saves them and then logs them according to the date and time of the period in which the requests occurred, not the date and time when the logs are delivered. **Note** If your firewall doesn't filter traffic for a period of time, you don't receive logs for that period. When creating a log file or stream, Network Firewall consolidates information for your firewall from all the endpoints that received traffic during the time period that the log covers. # Permissions to configure AWS Network Firewall logging Permissions to configure logging You must have the following permissions to make any changes to your firewall logging configuration. These settings are included in the permissions requirements for each logging configuration type, under [AWS Network Firewall logging destinations](firewall-logging-destinations.md). ``` { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" } ``` The permissions required for logging configuration are in addition to the standard permissions required to use the Network Firewall API. For information about the standard permissions that are required to use Network Firewall, see [Managing access using policies](security-iam.md#security_iam_access-manage). # Pricing for AWS Network Firewall logging Pricing for logging You are charged for Amazon CloudWatch *vended logs*, on top of the basic charges for using Network Firewall. Additionally, you incur charges when querying logs, whether through CloudWatch and or through Amazon Athena for logs stored in Amazon S3. Vended logs are specific AWS service logs published by AWS on your behalf at volume discount pricing. Your logging costs can vary depending on factors such as the destination type that you choose and the amount of data that you log. For example, flow logging sends logs for all of the network traffic that reaches your firewall's stateful rules, but alert logging sends logs only for network traffic that your stateful rules drop or explicitly alert on. Review the following resources to understand the pricing considerations for using firewall logs: + For information about CloudWatch vended log pricing, see [Logs](https://aws.amazon.com/cloudwatch/pricing/) on the *Amazon CloudWatch pricing* page. + For information about Network Firewall pricing, see [Network Firewall pricing](https://aws.amazon.com/network-firewall/pricing/). + For information about Amazon S3 pricing, see [Amazon S3 pricing](https://aws.amazon.com/S3/pricing/). + For information about Amazon Athena pricing, see [Amazon Athena pricing](https://aws.amazon.com/athena/pricing/). # AWS Network Firewall logging destinations Firewall logging destinations This section describes the logging destinations that you can choose from for your Network Firewall logs. Each section provides guidance for configuring logging for the destination type and information about any behavior that's specific to the destination type. After you've configured your logging destination, you can provide its specifications to the firewall logging configuration to start logging to it. For information about how to update the logging destination for an existing logging configuration, see [Updating a firewall's logging configuration](firewall-update-logging-configuration.md). **Topics** + [ # Sending AWS Network Firewall logs to Amazon Simple Storage Service ](logging-s3.md) + [ # Sending AWS Network Firewall logs to Amazon CloudWatch Logs ](logging-cw-logs.md) + [ # Sending AWS Network Firewall logs to Amazon Data Firehose ](logging-kinesis.md) # Sending AWS Network Firewall logs to Amazon Simple Storage Service Amazon S3 To send your firewall logs to Amazon S3, you need to set up an Amazon S3 bucket as the destination for the logs. In your bucket configuration for the firewall, you can optionally include a prefix, to immediately follow the bucket name. When you enable logging to Amazon S3 in Network Firewall, you provide the bucket name and, if you are using one, the prefix. For information about creating your logging bucket, see [Create a Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CreatingABucket.html) in the *Amazon Simple Storage Service User Guide*. **Note** Network Firewall supports encryption with Amazon S3 buckets for key type Amazon S3 key (SSE-S3) and for AWS Key Management Service (SSE-KMS) AWS KMS keys. Network Firewall doesn't support encryption for AWS Key Management Service keys that are managed by AWS. **Note** For information about the fees associated with sending logs to Amazon S3, see [Pricing for AWS Network Firewall logging](firewall-logging-pricing.md). **Important** If you enable detailed monitoring for a firewall that sends alert or flow logs to Amazon S3, Network Firewall uses Amazon Athena to create tables as required in your account. These tables process log data and are used exclusively for populating firewall monitoring dashboards and are managed by the Network Firewall console. For more information on how Amazon S3 integrates with Amazon Athena, see [https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html). **Important** To use the firewall monitoring dashboard functionality with S3 logging destinations: The Amazon S3 bucket storing the logs must be in the same region as the firewall. This is required for Amazon Athena to process the logs, as cross-region processing is not supported. If you specify a prefix for your S3 bucket, ensure it does not begin with a forward slash (`/`). Prefixes starting with (`/`) are not compatible with Amazon Athena processing and will prevent the dashboard from functioning correctly. Network Firewall collects log records, consolidates them into log files, and then publishes the log files to the Amazon S3 bucket at 5-minute intervals. Each log file contains log records for the network traffic recorded in the previous five minutes. The maximum file size for a log file is 75 MB. If the log file reaches the file size limit within the 5-minute period, the log stops adding records to it, publishes it to the Amazon S3 bucket, and then creates a new log file. A single log file contains interleaved entries with multiple connection identifier (source IP address, source port, destination IP address, destination port, and protocol) records. To see all the log files for your firewall, look for entries aggregated by the firewall name and your account ID. Log files are saved in the specified Amazon S3 bucket using a folder structure that's determined by the log's ID, Region, Network Firewall log type, and the date. The bucket folder structure uses the following format: ``` s3-bucket-name/optional-s3-bucket-prefix/AWSLogs/aws-account-id/network-firewall/log-type/Region/firewall-name/timestamp/ ``` Similarly, the log file name is determined by the flow log's ID, Region, and the date and time it was created. File names use the following format: ``` aws-account-id_network-firewall_log-type_Region_firewall-name_timestamp_hash.log.gz ``` In the specification of the folder and file name, the following apply: + The log type is either `alert`, `flow`, or `tls`. + The timestamp uses the `YYYYMMDDTHHmmZ` format. + If you don't provide a specification for the S3 bucket prefix, the log file bucket folder structure will be similar to the following: ``` s3-bucket-name/AWSLogs/aws-account-id ``` + If you specify slash (`/`) for the S3 bucket prefix, or provide a prefix that begins with a slash, the log file bucket folder structure will contain a double slash (`//`), like the following for a prefix set to a single slash: ``` s3-bucket-name//AWSLogs/aws-account-id ``` The following shows an example flow log file in Amazon S3 for AWS account `11111111111`, firewall name `test-firewall`, bucket name `s3://amzn-s3-demo-bucket`, and bucket prefix `flow-logs`. ``` s3://amzn-s3-demo-bucket/flow-logs/AWSLogs/11111111111/network-firewall/flow/us-east-1/test-firewall/2020/10/01/19/11111111111_network-firewall_flow_us-east-1_test-firewall_202010011920_44442222.log.gz ``` ## Permissions to publish logs to Amazon S3 You must have the following permissions settings to configure your firewall to send logs to Amazon S3. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" }, { "Sid": "FirewallLoggingS3", "Action": [ "s3:PutBucketPolicy", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:s3:::bucket-name" ], "Effect": "Allow" } ] } ``` ------ By default, Amazon S3 buckets and the objects that they contain are private. Only the bucket owner can access the bucket and the objects stored in it. The bucket owner, however, can grant access to other resources and users by writing an access policy. If the user creating the log owns the bucket, the service automatically attaches the following policy to the bucket to give the log permission to publish logs to it: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": {"Service": "delivery.logs.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket-name/optional-folder/AWSLogs/123456789012/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} }, { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": {"Service": "delivery.logs.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::bucket-name" } ] } ``` ------ If the user creating the log doesn't own the bucket, or doesn't have the `GetBucketPolicy` and `PutBucketPolicy` permissions for the bucket, the log creation fails. In this case, the bucket owner must manually add the preceding policy to the bucket and specify the log creator's AWS account ID. For more information, see [How Do I Add an S3 Bucket Policy?](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html) in the *Amazon Simple Storage Service User Guide*. If the bucket receives logs from multiple accounts, add a `Resource` element entry to the `AWSLogDeliveryWrite` policy statement for each account. For example, the following bucket policy allows AWS accounts `111122223333` and `444455556666` to publish logs to a folder named `flow-logs` in a bucket named `amzn-s3-demo-bucket`: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": {"Service": "delivery.logs.amazonaws.com"}, "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket:/flow-logs/AWSLogs/111122223333/", "arn:aws:s3:::amzn-s3-demo-bucket:/flow-logs/AWSLogs/444455556666/" ], "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} }, { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": {"Service": "delivery.logs.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket" } ] } ``` ------ ## (Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena In addition to your existing Amazon S3 permissions, you must have the following permissions for flow or alert log metrics to populate the firewall monitoring dashboard. **Important** When you enable firewall monitoring for a firewall that sends logs to Amazon S3, Network Firewall uses Amazon Athena to create tables and metadata files (including CSV files) in your S3 bucket. To optimize storage costs, we recommend periodically cleaning up these metadata files when they are no longer needed. If you haven't already verified that your account has the baseline logging permissions, go do that now. For more information, see [Permissions to configure AWS Network Firewall logging](firewall-logging-permissions.md). **Important** Additional fees are incurred when Network Firewall uses Amazon Athena to query Amazon S3 logs for the detailed monitoring dashboard. For best practices to minimize additional cost, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md). ``` { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetBucketLocation", "s3:ListBuckets", "s3:ListBucket" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetDatabase", "glue:GetPartitions", "glue:CreateTable", "glue:DeleteTable" ], "Resource": "*" } ``` If you're using CloudWatch Logs as a logging destination, you'll need additional permissions. For more information, see [Permissions to publish logs to CloudWatch Logs](logging-cw-logs.md#logging-cw-logs-permissions). The following view shows both standard Amazon S3 permissions and the additional Athena permissions needed for detailed monitoring. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "FirewallLogging", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": "*" }, { "Sid": "FirewallLoggingS3", "Effect": "Allow", "Action": [ "s3:PutBucketPolicy", "s3:GetBucketPolicy", "s3:PutObject", "s3:GetObject", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket" ], "Resource": "*" }, { "Sid": "FirewallLoggingAthena", "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults" ], "Resource": "*" }, { "Sid": "FirewallLoggingGlue", "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetDatabase", "glue:GetPartitions", "glue:CreateTable", "glue:DeleteTable" ], "Resource": "*" } ] } ``` ------ ## Amazon S3 log file access In addition to the required bucket policies, Amazon S3 uses access control lists (ACLs) to manage access to the log files created by a Network Firewall log. By default, the bucket owner has `FULL_CONTROL` permissions on each log file. The log delivery owner, if different from the bucket owner, has no permissions. The log delivery account has `READ` and `WRITE` permissions. For more information, see [Access Control List (ACL) Overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service User Guide*. The log files are compressed. If you open the files using the Amazon S3 console, Amazon S3 decompresses the log records and displays them. If you download the log files, you must decompress them to view the records. # Sending AWS Network Firewall logs to Amazon CloudWatch Logs CloudWatch Logs To send logs to Amazon CloudWatch Logs, you create a CloudWatch Logs log group. When you enable logging in Network Firewall, you provide the log group name. After you enable logging for your firewall, AWS Network Firewall delivers logs to the CloudWatch Logs log group in log streams. Each log stream contains an hour of log records. You can use any name for your CloudWatch Logs log group. Configure the log group in the same Region as the firewall and using the same account as you use to manage the firewall. For information about configuring a CloudWatch Logs log group, see [Working with Log Groups and Log Streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html). **Names of alert and flow logs** When you configure your Network Firewall firewall to send alert and flow logs to the log group, the resulting log streams have the following naming format: ``` /aws/network-firewall/log-type/firewall-name_YYYY-MM-DD-HH ``` In the specification, the log type is either `alert` or `flow`. The following shows an example log stream created on October 1, 2020, at 5 pm for alert logging for firewall `test-firewall`. ``` /aws/network-firewall/alert/test-firewall_2020-10-01-17 ``` **Names of TLS logs** When you configure your Network Firewall firewall to send TLS logs to the log group, the resulting log streams have the following naming format: ``` /aws/network-firewall/tls/firewall-name ``` The following shows the log stream for TLS logging for the example firewall `test-firewall`. ``` /aws/network-firewall/tls/test-firewall ``` ## Permissions to publish logs to CloudWatch Logs You must have the following permissions settings to configure your firewall to send logs to a CloudWatch Logs log group and to access log metrics in Network Firewall. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" }, { "Sid": "FirewallLoggingCWL", "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:log-group-name" ], "Effect": "Allow" } ] } ``` ------ **Important** Additional fees are incurred when Network Firewall queries CloudWatch to fetch log data for the detailed monitoring dashboard. For best practices to minimize additional cost, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md). ## (Optional) Permissions to access CloudWatch log metrics in Network Firewall You must have the following permissions settings added to your existing CloudWatch permissions to configure your firewall to query CloudWatch logs for the detailed monitoring dashboard. **Important** Additional fees are incurred when querying logs, whether through CloudWatch Logs or through Amazon Athena for logs stored in S3. For best practices to minimize additional cost, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md). ``` { "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetQueryResults" ], "Resource": "CloudWatch Logs log group ARN" } ``` The following view shows both standard CloudWatch permissions and the additional permissions needed for detailed monitoring. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" }, { "Sid": "FirewallLoggingCWL", "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:log-group-name" ], "Effect": "Allow" }, { "Sid": "FirewallLoggingSearch", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetQueryResults" ], "Resource": "*" } ] } ``` ------ # Sending AWS Network Firewall logs to Amazon Data Firehose Firehose To send logs to Amazon Data Firehose, you first need to set up a Firehose delivery stream. As part of that process, you choose a destination for storing your logs. After you enable logging for your firewall, AWS Network Firewall delivers logs to the destination through the HTTPS endpoint of Amazon Data Firehose. One AWS Network Firewall log corresponds to one Amazon Data Firehose record. Configure an Amazon Data Firehose delivery stream for your firewall as follows. + Create it using the same account as you use to manage the firewall. + Create it in the same Region as the firewall. + Configure it for direct put, which allows applications to access the delivery stream directly. In the Amazon Data Firehose console, for the delivery stream **Source** setting, choose **Direct PUT or other sources**. Through the API, set the delivery stream property `DeliveryStreamType` to `DirectPut`. For information about how to create an Amazon Data Firehose delivery stream and review the stored logs, see [Creating an Amazon Data Firehose delivery stream](https://docs.aws.amazon.com/firehose/latest/dev/basic-create.html) and [What is Amazon Data Firehose?](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html) When you successfully enable logging to an Amazon Data Firehose data stream, Network Firewall creates a service linked role with the necessary permissions to write logs to it. For more information, see [Using service-linked roles](using-service-linked-roles.md). ## Permissions to publish logs to Amazon Data Firehose You must have the following permissions to configure your firewall to send logs to an Amazon Data Firehose delivery stream. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FirewallLogging" }, { "Sid": "FirewallLoggingFH1", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "FirewallLoggingFH2", "Action": [ "firehose:TagDeliveryStream" ], "Resource": "arn:aws:firehose:us-east-1:123456789012:deliverystream/delivery-stream-name", "Effect": "Allow" } ] } ``` ------ # Logging in AWS Network Firewall with server-side encryption and customer-provided keys Logging with server-side encryption and customer-provided keys If your logging destination uses server-side encryption with keys that are stored in AWS Key Management Service (SSE-KMS) and you use a customer managed key (KMS key), you must give Network Firewall permission to use your KMS key. To do this, you add a key policy to the KMS key for your chosen destination to permit Network Firewall logging to write your log files to the destination. **Policy for an Amazon S3 bucket** Add the following key policy to your KMS key to allow Network Firewall to log to your Amazon S3 bucket. ``` { "Sid": "Allow Network Firewall to use the key", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com" ] }, "Action": "kms:GenerateDataKey*", "Resource": "*" } ``` **Note** Network Firewall supports encryption with Amazon S3 buckets for key type Amazon S3 key (SSE-S3) and for AWS Key Management Service (SSE-KMS) AWS KMS keys. Network Firewall doesn't support encryption for AWS Key Management Service keys that are managed by AWS. **Policy for a CloudWatch Logs log group** For a CloudWatch Logs log group, the service principal requires access to the logs for the Region. This is the same as for all encrypted CloudWatch Logs log streams. For more information about log data encryption in CloudWatch Logs, see [Encrypt Log Data in CloudWatch Logs Using AWS KMS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html). Add the following key policy to your KMS key to allow Network Firewall to log to your CloudWatch Logs log group. ``` { "Effect": "Allow", "Principal": { "Service": "logs.{region}.amazonaws.com" }, "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Resource": "*" } ``` **Policy for a Firehose delivery stream** For Firehose delivery streams, you allow the service principal to generate keys so that it can put the logging records. Add the following key policy to your KMS key to allow Network Firewall to log to your Firehose delivery stream. ``` { "Sid": "Allow Network Firewall logs to use the key", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com" ] }, "Action": "kms:GenerateDataKey*", "Resource": "*" } ``` # Updating a AWS Network Firewall logging configuration Updating a firewall's logging configuration To update your firewall's logging configuration through the Network Firewall AWS Management Console, use the procedure in this section. For the API, see the Network Firewall API action, `UpdateLoggingConfiguration`. **Note** Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, see [Firewall policy settings in AWS Network Firewall](firewall-policy-settings.md) and [Defining rule actions in AWS Network Firewall](rule-action.md). **To update a firewall's logging configuration through the console** 1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, under **Network Firewall**, choose **Firewalls**. 1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page. 1. Choose the tab **Firewall details**, then in the **Logging** section, choose **Edit**. 1. Adjust the **Log type** selections as needed. To disable logging for a firewall, deselect all options. + **Flow** – Sends logs for all network traffic that the stateless engine forwards to the stateful rules engine. + **Alert** – Sends logs for traffic that matches any stateful rule whose action is set to `Alert`, `Drop`, or `Reject`. For more information about stateful rules and rule groups, see [Managing your own rule groups in AWS Network Firewall](rule-groups.md). + **TLS** – Sends logs for events related to TLS inspection. Network Firewall currently logs failures in certificate revocation checks for outbound traffic and TLS errors. These logs require the firewall to be configured for TLS inspection. For more information, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md). 1. For each selected log type, choose the destination type, then provide the information for the logging destination that you prepared following the guidance in [Firewall logging destinations](firewall-logging-destinations.md). In order to change the destination for an existing **Log type**, you must first disable logging for the policy. Then, edit the policy and specify the new destination(s) for the **Log type**. 1. Choose **Save** to save your changes and return to the firewall's detail page.