I have a Cloudformation template that creates a WAFv2 along with Cloudwatch Logging. I encountered an issue when trying to set the LoggingConfiguration. The actual error I got looks something like this:
Resource handler returned message: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: LOG_DESTINATION, parameter: arn:aws:logs:us-east-1:xxxxx:log-group:aws-waf-bar-foo:*
My LoggingConfiguration looks something like this:
"webAcllogging": {
"Type": "AWS::WAFv2::LoggingConfiguration",
"Properties": {
"ResourceArn": {
"Fn::GetAtt": [
"webAcl",
"Arn"
]
},
"LogDestinationConfigs": [
{
"Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-bar-foo:*"
}
],
"RedactedFields": [
{
"SingleHeader": {
"Name": "password"
}
}
]
}
},
I tried changing a few things and I still encounter this error. Anyone knows why?
It turns out that you have to use a special naming convention for WAF logs.
The name needs to be prefixed by aws-waf-logs-
.
So the LogDestinationConfigs
should as follows:
"LogDestinationConfigs": [
{
"Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-bar-foo:*"
}
],
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.