AWS WAF Integration
Overview
AWS WAF protects web applications from common exploits and bots. KYRA MDR collects AWS WAF logs via Kinesis Firehose or S3 for web application security monitoring. Supports AWS WAF (v2) with CloudFront, ALB, and API Gateway.
Prerequisites
- A KYRA MDR Collector installed and running
- AWS account with WAF deployed
- IAM role with WAF and Kinesis/S3 permissions
- AWS WAF logging enabled
Configuration
Enable AWS WAF logging:
- Navigate to AWS WAF > Web ACLs > your-acl > Logging
- Enable logging to a Kinesis Data Firehose or S3 bucket
- Configure the KYRA MDR collector:
sources: - type: aws-waf region: ap-northeast-2 s3_bucket: kyra-waf-logs access_key_id: <access-key> secret_access_key: <secret-key> poll_interval: 60s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Web ACL | Rule match and action events | Web attack detection |
| Rate-based | Rate limit trigger events | DDoS and brute force |
| Managed Rules | AWS managed rule matches | OWASP Top 10 protection |
| Bot Control | Bot detection events | Bot traffic management |
| IP Reputation | IP reputation list matches | Known bad actor blocking |
| Custom Rules | Custom rule match events | Application-specific protection |
Troubleshooting
No WAF logs: Verify WAF logging is enabled on the Web ACL.
S3 delivery delay: Set the Kinesis Firehose buffer interval to 60 seconds for near real-time delivery.
Missing request body: AWS WAF logs do not include the full request body by default.
Contact kyra@seekerslab.com for support.