AWS waf documentation change
Summary
Added note clarifying required s3:ListBucket permission for AWS WAF logging to prevent AccessDenied errors in CloudTrail.
Security assessment
The change improves documentation about required permissions for secure logging configuration but does not address a specific vulnerability. Enhances security best practice documentation for logging setup.
Diff
diff --git a/waf/latest/developerguide/logging-s3.md b/waf/latest/developerguide/logging-s3.md index 4a73b6bff..e4c80b6dc 100644 --- a//waf/latest/developerguide/logging-s3.md +++ b//waf/latest/developerguide/logging-s3.md @@ -234,0 +235,4 @@ For example, the following bucket policy allows AWS account `111122223333` to pu +###### Note + +In some cases, you may see `AccessDenied` errors in AWS CloudTrail if the `s3:ListBucket` permission has not been granted to `delivery.logs.amazonaws.com`. To avoid these errors in your CloudTrail logs, you must grant the `s3:ListBucket` permission to `delivery.logs.amazonaws.com` and you must include the `Condition` parameters shown with the `s3:GetBucketAcl `permission set in the preceding bucket policy. To make this simpler, instead of creating a new `Statement`, you can directly update the `AWSLogDeliveryAclCheck` to be `“Action”: [“s3:GetBucketAcl”, “s3:ListBucket”]`. +