awscdk - awswaf - logging configuration fails to deploy

Question

I'm using CDK version 1.139.0, and I had a waf earlier added in my previous deployment. Now I tried to add the logging configuration for that waf. So I added the below code in cdk and generated the template.

 new CfnLoggingConfiguration(scope,'WafLoggingConfig',{ resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference. logDestinationConfigs:[arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app], })

Note: I have already created the log group for waf named as aws-waf-logs-for-app (which has the expected prefix need for waf)

After synthesizing/generating the template I did cdk deploy to update the Cloud formation.

List of policies I have already attached to the Cloudformation:

 'wafv2:AssociateWebACL', 'wafv2:CreateWebACL', 'wafv2:DeleteWebACL', 'wafv2:DescribeManagedRuleGroup', 'wafv2:DisassociateWebACL', 'wafv2:Get*', 'wafv2:List*', 'wafv2:UpdateWebACL', 'wafv2:GetLoggingConfiguration', 'wafv2:ListLoggingConfiguration', 'wafv2:PutLoggingConfiguration', 'wafv2:DeleteLoggingConfiguration', 'cloudwatch:DeleteAlarms', 'cloudwatch:Describe*', 'cloudwatch:DisableAlarmActions', 'cloudwatch:EnableAlarmActions', 'cloudwatch:GetDashboard', 'cloudwatch:ListDashboards', 'cloudwatch:PutDashboard', 'cloudwatch:DeleteDashboards', 'cloudwatch:GetMetricData', 'cloudwatch:GetMetricStatistics', 'cloudwatch:ListMetrics', 'cloudwatch:PutMetricAlarm', 'cloudwatch:PutMetricData',

and other policies for other resources.

But my cloud formation fails to deploy the logging configuration for waf and displays the below error in Cloudformation events page.

Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)

Note: In the above error I have modified the value of the Request ID: and RequestToken. I believe I have given the needed policies for the cloud formation.

Is it a bug in cdk? Did cdk failed to create any role needed for this? can someone help me with this?

Answer 1

You have wafv2:PutLoggingConfiguration action allowed in your policy but this by itself is not sufficient to allow the action. This is because wafv2:PutLoggingConfiguration has iam:CreateServiceLinkedRole as a dependent action.

References

• https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html Refer the dependent actions column
• https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html

The Dependent actions column includes any additional permissions that you must have, in addition to the permission for the action itself, to successfully call the action. This can be required if the action accesses more than one resource.