Why aren't my AWS WAF logs publishing to the destination that I configured?

Resolution

You can publish AWS WAF logs to a log group in Amazon CloudWatch Logs, an Amazon Simple Storage Service (Amazon S3) bucket, or Amazon Data Firehose delivery stream. To determine why your AWS WAF logs aren't publishing, check the configuration for the destination that you're using.

Check your log filtering configuration

You can configure log filtering to specify when to keep requests and when to delete them. To determine whether a log is missing, check your web access control list (web ACL) logging configuration in AWS WAF.

CloudWatch Logs

Take the following actions:

• Verify that the log group name starts with aws-waf-logs.
• Verify that you have the required permissions to publish logs to CloudWatch Logs.
• Check that the log group has a resource policy with permissions.

Amazon S3 bucket

Take the following actions:

• Verify that the Amazon S3 bucket name starts with aws-waf-logs.
• Check your Amazon S3 bucket encryption key. AWS WAF doesn't support AWS Key Management Service (AWS KMS) keys that AWS manages. AWS WAF supports only Amazon S3 managed keys (SSE-S3) or AWS KMS for AWS KMS keys (SSE-KMS).
• Verify that you have the required permissions to publish logs to Amazon S3. By default, Amazon S3 buckets and their objects are private. S3 bucket owners can use the access policy to grant access to other AWS resources.

Firehose delivery stream

Take the following actions:

• Verify that the Firehose delivery stream name starts with aws-waf-logs.
• Verify that you have the required permissions to publish logs to an Firehose delivery stream.

Related information

How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Firehose?