Skip to main content
emnode / learn
Compliance

Enable network and edge logging (LB, WAF, firewall, DNS)

One capability across load balancers, WAF web ACLs, Network Firewall and Route 53: make sure every device that sits in the traffic path keeps a queryable record of what it allowed, blocked and resolved.

14 min·10 sections·AWS

Last reviewed

Remediates AWS Security Hub: ELB.5NetworkFirewall.2Route53.2WAF.1WAF.11

Network and edge logging: the basics

What does "edge logging" mean across the traffic path?

Every request to a public application crosses a chain of network and edge devices: DNS resolves the name through Route 53, a load balancer brokers the HTTP request, a WAF web ACL decides whether to allow or block it, and a Network Firewall inspects the packets crossing a subnet boundary. Each of these can record what it saw, and almost all of them ship with that logging switched off by default. With logging off, the device does its job in the moment and forgets everything: the request was answered, the rule fired, the packet was dropped, and there is no record you can go back to.

Security Hub turns each device's logging into its own control, which is why one estate can fail a cluster of edge-logging checks at once. ELB.5 covers Application and Classic Load Balancer access logs; WAF.1 and WAF.11 cover WAF Classic and WAFv2 web ACL logging; NetworkFirewall.2 covers Network Firewall FLOW, ALERT and TLS logs; Route53.2 covers public hosted zone DNS query logging. They look like separate problems on the report, but they are one capability: every device in the traffic path should write down what it allowed, blocked and resolved, somewhere you can query later.

This capability is distinct from both CloudTrail and from application logging. CloudTrail records who called which AWS API. Application logging records what an application service did once it was running. Network and edge logging records the traffic itself: the request line through the load balancer, the rule a WAF matched, the connection a firewall dropped, the DNS name that was looked up. These are the artefacts an incident responder reaches for first, because they describe the attack as it crossed your perimeter.

In this lesson you will learn how AWS expresses logging across load balancers, WAF web ACLs, Network Firewall and Route 53, why each device ships with logging off, and how to turn it on with the right destination, retention and cost controls. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The block you couldn't prove

A retail platform took a credential-stuffing wave during a holiday sale. Their WAF rate-based rule did its job and blocked the bulk of it, but logging was never enabled on that web ACL. When the security team sat down to scope the incident, they had request counts showing a spike and a blocked total, and nothing else: no source IPs, no matched-rule detail, no URI patterns. They could not tell legitimate customers caught in the block from the attackers, could not tune the rule, and could not hand the auditor a single log line proving the control fired. Enabling logging took one API call. Reconstructing those four hours afterwards was impossible.

Finding the devices that record nothing

Marco runs platform engineering at a fintech. A Security Hub digest flags a cluster of edge-logging findings: production ALBs with no access logs, a WAFv2 web ACL with no logging configuration, the production egress firewall with no log destination, and several public hosted zones with no query logging. Severity ranges from Low to High, but he knows from experience that the day someone needs any of them is the day they aren't there.

Rather than work the findings one by one, he starts by confirming the current state on each device type, so he can apply one consistent baseline with sensible destinations and retention rather than chasing each control.

Pull a load balancer's attributes. Access logging is governed by the access_logs.s3.* keys; if enabled is false, every request is going unrecorded.

$ aws elbv2 describe-load-balancer-attributes --load-balancer-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/prod-api/4e8a1b3c5d7f9021 --query 'Attributes[?starts_with(Key, `access_logs`)]' --output table
------------------------------------------------
| Key | Value |
+----------------------------------+-----------+
| access_logs.s3.enabled | false |
| access_logs.s3.bucket | |
------------------------------------------------
# Logging is off: every request hitting this load balancer is unrecorded.

Load balancers, WAF, firewall and DNS all default to no logging. The report shows separate findings, but it is one capability.

How edge logging works across the traffic pathdeep dive

Each device exposes its own logging mechanism, and each one trips people up differently. Load balancer access logs are a pair of attributes (access_logs.s3.enabled plus a bucket and prefix); they deliver one gzipped line per request to S3 every five minutes, and the destination bucket must grant the AWS log-delivery principal PutObject or the enable call fails up front. WAF logging is a per-web-ACL logging configuration attached with PutLoggingConfiguration; the destination (an Amazon Data Firehose stream, a CloudWatch log group, or an S3 bucket) must be named with the mandatory aws-waf-logs- prefix, and the mere existence of the configuration is what makes the control pass. Network Firewall logging is a separate LoggingConfiguration object supporting three log types (FLOW, ALERT, TLS) wired to S3, CloudWatch Logs or Firehose; a configuration that points at a deleted destination fails the control just as an empty one does.

Route 53 query logging carries the constraint that catches everyone: a public hosted zone only writes query logs to a CloudWatch log group in us-east-1, because Route 53 is a global service. Each record captures the queried name, type, edge POP, protocol and response code, but not the requester's IP (Route 53 only sees the resolver). It is distinct from Resolver query logging, which records what your VPCs look up; only the public hosted zone product is in scope here.

Security Hub evaluates these through AWS Config managed rules on mixed schedules, so some flip to PASSED within minutes and some on a periodic cycle. Two themes run across all of them. Logging is forward-only: it captures traffic from the moment it is enabled, never the historical backlog, which is why enabling it before an incident matters. And cost is controlled with two levers: lifecycle tiering to cheaper storage for high-volume logs, and filtering (a WAF LoggingFilter that keeps only blocked requests, ALERT-only on a firewall) to cut volume by an order of magnitude while keeping the security-relevant events.

What is the impact of edge devices that log nothing?

The first impact is forensic blindness. When an incident touches the network (a suspected exfiltration, a credential-stuffing wave, lateral movement, a service outage that might be a block-rule misfire) the first thing responders reach for is the edge logs. Without them you are reduced to aggregate counters and downstream application logs, neither of which preserves the actual request, the matched rule, the dropped connection or the DNS lookup that triggered the issue. A question that should take minutes becomes a multi-day reconstruction, or simply cannot be answered, and the data cannot be recovered after the fact.

The second impact is detection and tuning. Edge logs feed traffic-pattern analysis: a spike of NXDOMAIN responses for random subdomains is the signature of DGA malware, a flood of requests to /admin is enumeration, a WAF rule blocking legitimate customers is a false positive you can only find by reading the logs. With logging off, detection is impossible and rule tuning becomes guesswork, so teams tend to loosen rules and weaken protection rather than fix the specific rule at fault.

The third impact is compliance. ELB.5 maps to PCI DSS section 10 and to SOC 2 and ISO 27001 access-logging expectations; Route53.2 is rated High because DNS is in the attack chain of the vast majority of breaches; WAF.1, WAF.11 and NetworkFirewall.2 map to PCI DSS and NIST 800-53 audit controls. A device in a compliance scope without logging is an open finding the moment an auditor asks, and remediating under deadline (with a history that only starts the day you enabled it) is far more painful than having had it on all along.

The cost of fixing it is genuinely small and runs the right way. Load balancer logs at scale are a few dollars a month per balancer once tiered to S3 Infrequent Access and Glacier; WAF and firewall logs are pennies to a few dollars with a logging filter; Route 53 query logs are a few dollars a month even for a busy zone. Against the cost of an un-investigable incident or a blocked certification, this is one of the cheapest sets of controls in Security Hub to satisfy.

How do you enable edge logging safely?

Work the capability as one loop rather than chasing individual findings. Inventory the devices that record nothing, prepare correctly-permissioned destinations, enable logging with filtering and lifecycle controls, then make logging a provisioning default so the whole group stays green.

1. Inventory every device and its logging state

Across every account and Region, enumerate load balancers (describe-load-balancer-attributes), WAF web ACLs in both REGIONAL and CLOUDFRONT scope (get-logging-configuration), Network Firewalls (describe-logging-configuration) and public hosted zones (list-query-logging-configs versus list-hosted-zones). Anything missing a logging destination is a gap. The oldest internet-facing devices are usually both the highest-traffic and the highest-stakes, so capture rough volume too.

2. Prepare correctly-named, correctly-permissioned destinations

Each device has its own destination rule. Load balancer logs need an S3 bucket granting the AWS log-delivery principal PutObject. WAF and Network Firewall destinations must exist before you reference them, and WAF destinations must be named with the aws-waf-logs- prefix. Route 53 query logs only write to a CloudWatch log group in us-east-1. Reuse shared, hardened destinations across many devices rather than one per device, and block public access on every log bucket.

3. Enable logging with filtering and lifecycle controls

Turn logging on with the device's own call: modify-load-balancer-attributes, put-logging-configuration for WAF, update-logging-configuration for Network Firewall, create-query-logging-config for Route 53. Control volume and cost with the two levers: a WAF LoggingFilter or ALERT-only firewall logging to keep just the security-relevant events, and an S3 lifecycle rule tiering high-volume logs to Infrequent Access at 30 days and Glacier at 90. Redact sensitive WAF fields such as the authorization and cookie headers.

4. Make logging a provisioning default

The manual fix clears today's findings; it does not stop new ones. Bake logging into the CloudFormation, Terraform or CDK modules every load balancer, web ACL, firewall and hosted zone is created from, and enforce it with the matching AWS Config rules (and AWS Firewall Manager for WAF across accounts) so a non-compliant device is flagged the moment it deploys. When logging is a property of provisioning, the whole edge-logging group goes to zero and stays there.

# Load balancer: enable access logs to a dedicated, log-delivery-permissioned bucket.
aws elbv2 modify-load-balancer-attributes \
  --load-balancer-arn "$LB_ARN" \
  --attributes \
      Key=access_logs.s3.enabled,Value=true \
      Key=access_logs.s3.bucket,Value=acme-elb-logs-eu-west-1 \
      Key=access_logs.s3.prefix,Value=prod-api

# WAF web ACL: attach logging (Firehose/log-group name must start with aws-waf-logs-),
# redact credentials, and keep only blocked requests to cap volume.
aws wafv2 put-logging-configuration --logging-configuration \
  ResourceArn="$WEBACL_ARN",LogDestinationConfigs="arn:aws:firehose:us-east-1:111122223333:deliverystream/aws-waf-logs-prod",RedactedFields=[{SingleHeader={Name=authorization}}]

# Network Firewall: enable ALERT logs to CloudWatch and FLOW logs to S3.
aws network-firewall update-logging-configuration --firewall-name prod-egress-fw \
  --logging-configuration 'LogDestinationConfigs=[{LogType=ALERT,LogDestinationType=CloudWatchLogs,LogDestination={logGroup=/netfw/prod-egress-fw/alert}}]'

# Route 53: log group MUST be in us-east-1, then attach the query logging config.
aws logs create-log-group --log-group-name /aws/route53/customer-portal --region us-east-1
aws route53 create-query-logging-config --hosted-zone-id Z0J1K4M2X8N9A1 \
  --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:/aws/route53/customer-portal

Quick quiz

Question 1 of 5

Security Hub shows edge-logging failures across load balancers, WAF, Network Firewall and Route 53. What is the most efficient way to think about them?

You can now treat network and edge logging as one capability rather than a scatter of findings: inventory the load balancers, web ACLs, firewalls and DNS zones running silent, prepare correctly-permissioned destinations, enable logging with filtering and lifecycle controls, and make it a provisioning default so the whole group stays green. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Part of the learning path See what's happening

Related compliance lessons