Monitor

This lab section will provide you with some basic hands-on exprerience with using CloudWatch to monitor AWS WAF and investigating its logs. CloudWatch metrics are used for each ACL and each WAF rule in it. Besides, this workshop has AWS WAF preconfigured for real-time logging to Amazon S3 via Amazon Kinesis Firehose. You will be guided to investigate those logs with Amazon Athena queries.

You can have a look at the configuration in the “Logging and metrics” tab in the AWS WAF > Web ACLs > <ACL name> page.

Data schema can be checked in AWS Glue

The table schema

HTTP request structure:

{
  "httprequest": {
    "clientip": "string",
    "country": "string",
    "headers": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "uri": "string",
    "args": "string",
    "httpversion": "string",
    "httpmethod": "string",
    "requestid": "string"
  }
}

Content

1. Investigate AWS WAF Logs
2. Block Mystery Test
3. Insert Custom HTTP Request Header