AWS::NetworkFirewall::LoggingConfiguration - AWS CloudFormation (original) (raw)

Use the AWS::NetworkFirewall::LoggingConfiguration to define the destinations and logging options for an AWS::NetworkFirewall::Firewall.

You must change the logging configuration by changing one LogDestinationConfig setting at a time in your LogDestinationConfigs.

You can make only one of the following changes to your AWS::NetworkFirewall::LoggingConfiguration resource:

• Create a new log destination object by adding a singleLogDestinationConfig array element toLogDestinationConfigs.
• Delete a log destination object by removing a singleLogDestinationConfig array element fromLogDestinationConfigs.
• Change the LogDestination setting in a singleLogDestinationConfig array element.

You can't change the LogDestinationType or LogType in aLogDestinationConfig. To change these settings, delete the existingLogDestinationConfig object and create a new one, in two separate modifications.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::NetworkFirewall::LoggingConfiguration",
  "Properties" : {
      "FirewallArn" : String,
      "FirewallName" : String,
      "LoggingConfiguration" : LoggingConfiguration
    }
}

Properties

FirewallArn

The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::Firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.

Required: Yes

Type: String

Pattern: ^arn:aws.*$

Minimum: 1

Maximum: 256

Update requires: Replacement

FirewallName

The name of the firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.

Required: No

Type: String

Pattern: ^[a-zA-Z0-9-]+$

Minimum: 1

Maximum: 128

Update requires: Replacement

LoggingConfiguration

Defines how AWS Network Firewall performs logging for a AWS::NetworkFirewall::Firewall.

Required: Yes

Type: LoggingConfiguration

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall that the logging configuration is associated with. For example:

{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall/myFirewallName" }

For more information about using the Ref function, see Ref.

Examples

• Create a logging configuration for CloudWatch Logs and Kinesis Data Firehose
• Create a logging configuration for Amazon S3

Create a logging configuration for CloudWatch Logs and Kinesis Data Firehose

The following shows example logging configuration specifications for alert logs that go to an Amazon CloudWatch Logs log group and flow logs that go to an Amazon Kinesis Data Firehose delivery stream.

JSON

"SampleLoggingConfiguration": {
    "Type": "AWS::NetworkFirewall::LoggingConfiguration",
    "Properties": {
        "FirewallArn": {
            "Ref": "SampleFirewallArn"
        },
        "LoggingConfiguration": {
            "LogDestinationConfigs": [
                {
                    "LogType": "ALERT",
                    "LogDestinationType": "CloudWatchLogs",
                    "LogDestination": {
                        "logGroup": "SampleLogGroup"
                    }
                },
                {
                    "LogType": "FLOW",
                    "LogDestinationType": "KinesisDataFirehose",
                    "LogDestination": {
                        "deliveryStream": "SampleStream"
                    }
                }
            ]
        }
    }
} 

YAML

SampleLoggingConfiguration:
  Type: 'AWS::NetworkFirewall::LoggingConfiguration'
  Properties:
    FirewallArn: !Ref SampleFirewallArn
    LoggingConfiguration:
      LogDestinationConfigs:
        - LogType: ALERT
          LogDestinationType: CloudWatchLogs
          LogDestination:
            logGroup: SampleLogGroup
        - LogType: FLOW
          LogDestinationType: KinesisDataFirehose
          LogDestination:
            deliveryStream: SampleStream
          

Create a logging configuration for Amazon S3

The following shows example logging configuration specifications for flow logs that go to an Amazon S3 bucket.

JSON

"SampleLoggingConfiguration": {
    "Type": "AWS::NetworkFirewall::LoggingConfiguration",
    "Properties": {
        "FirewallArn": {
            "Ref": "SampleFirewallArn"
        },
        "LoggingConfiguration": {
            "LogDestinationConfigs": [
                {
                    "LogType": "FLOW",
                    "LogDestinationType": "S3",
                    "LogDestination": {
                        "bucketName": "sample-bucket-name",
                        "prefix": "sample/s3/prefix"
                    }
                }
            ]
        }
    }
} 

YAML

SampleLoggingConfiguration:
  Type: 'AWS::NetworkFirewall::LoggingConfiguration'
  Properties:
    FirewallArn: !Ref SampleFirewallArn
    LoggingConfiguration:
      LogDestinationConfigs:
        - LogType: FLOW
          LogDestinationType: S3
          LogDestination:
            bucketName: sample-bucket-name
            prefix: sample/s3/prefix