Log all requests through backend_public WAF ACL #1822
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trello card
Rationale: We recently added support (#1819) for JA3 denylisting on the backend_public ACL, but the only place we currently log JA3 fingerprints is in the WAF logs. Currently the backend_public ACL is configured to only log requests that were blocked or counted, so we have no way to find the JA3 fingerprints of traffic that was allowed, but that we want to add to the JA3 denylist.
This will increase the number of requests being logged by this ACL, but the amount is around the same order of magnitude as the volume of requests we already block (and therefore log) in the cache_public ACL. The
aws-waf-logs-backend-public-production
log group only has 1 month of retention.