AWS network-firewall documentation change
Summary
Added documentation about required permissions for Amazon Athena integration with S3 logging, including IAM policy examples, region/bucket prefix constraints, and cost considerations for detailed monitoring dashboards.
Security assessment
The changes document required permissions (Athena/Glue/S3) and configuration constraints for security monitoring features. While this improves security posture by guiding proper access controls, there is no evidence of addressing a specific vulnerability.
Diff
diff --git a/network-firewall/latest/developerguide/logging-s3.md b/network-firewall/latest/developerguide/logging-s3.md index a4778adf7..df9ad3f93 100644 --- a//network-firewall/latest/developerguide/logging-s3.md +++ b//network-firewall/latest/developerguide/logging-s3.md @@ -5 +5 @@ -Permissions to publish logs to Amazon S3 Amazon S3 log file access +Permissions to publish logs to Amazon S3 (Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon AthenaAmazon S3 log file access @@ -14,0 +15,19 @@ Network Firewall supports encryption with Amazon S3 buckets for key type Amazon +###### Note + +For information about the fees associated with sending logs to Amazon S3, see [Pricing for AWS Network Firewall logging](./firewall-logging-pricing.html). + +###### Important + +If you enable detailed monitoring for a firewall that sends alert or flow logs to Amazon S3, Network Firewall uses Amazon Athena to create tables as required in your account. These tables process log data and are used exclusively for populating firewall monitoring dashboards and are managed by the Network Firewall console. For more information on how Amazon S3 integrates with Amazon Athena, see <https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html>. + +###### Important + +To use the firewall monitoring dashboard functionality with S3 logging destinations: + + * The Amazon S3 bucket storing the logs must be in the same region as the firewall. This is required for Amazon Athena to process the logs, as cross-region processing is not supported. + + * If you specify a prefix for your S3 bucket, ensure it does not begin with a forward slash (`/`). Prefixes starting with (`/`) are not compatible with Amazon Athena processing and will prevent the dashboard from functioning correctly. + + + + @@ -79 +98 @@ You must have the following permissions settings to configure your firewall to s - "s3:GetBucketPolicy" + "s3:GetBucketPolicy", @@ -143,0 +163,107 @@ For example, the following bucket policy allows AWS accounts `111122223333` and +## (Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena + +In addition to your existing Amazon S3 permissions, you must have the following permissions for flow or alert log metrics to populate the firewall monitoring dashboard. + +###### Important + +When you enable firewall monitoring for a firewall that sends logs to Amazon S3, Network Firewall uses Amazon Athena to create tables and metadata files (including CSV files) in your S3 bucket. To optimize storage costs, we recommend periodically cleaning up these metadata files when they are no longer needed. + +If you haven't already verified that your account has the baseline logging permissions, go do that now. For more information, see [Permissions to configure AWS Network Firewall logging](./firewall-logging-permissions.html). + +###### Important + +Additional fees are incurred when Network Firewall uses Amazon Athena to query Amazon S3 logs for the detailed monitoring dashboard. For best practices to minimize additional cost, see [Working with the firewall monitoring dashboard](./nwfw-using-dashboard.html). + + + { + "Effect": "Allow", + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryExecution", + "athena:GetQueryResults" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:GetBucketLocation", + "s3:ListBuckets", + "s3:ListBucket" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "glue:GetTable", + "glue:GetDatabase", + "glue:GetPartitions", + "glue:CreateTable", + "glue:DeleteTable" + ], + "Resource": "*" + } + + +If you're using CloudWatch Logs as a logging destination, you'll need additional permissions. For more information, see [Permissions to publish logs to CloudWatch Logs](./logging-cw-logs.html#logging-cw-logs-permissions). + +The following view shows both standard Amazon S3 permissions and the additional Athena permissions needed for detailed monitoring. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "FirewallLogging", + "Effect": "Allow", + "Action": [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries" + ], + "Resource": "*" + }, + { + "Sid": "FirewallLoggingS3", + "Effect": "Allow", + "Action": [ + "s3:PutBucketPolicy", + "s3:GetBucketPolicy", + "s3:PutObject", + "s3:GetObject", + "s3:GetBucketLocation", + "s3:ListBuckets", + "s3:ListBucket" + ], + "Resource": "*" + }, + { + "Sid": "FirewallLoggingAthena", + "Effect": "Allow", + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryExecution", + "athena:GetQueryResults" + ], + "Resource": "*" + }, + { + "Sid": "FirewallLoggingGlue", + "Effect": "Allow", + "Action": [ + "glue:GetTable", + "glue:GetDatabase", + "glue:GetPartitions", + "glue:CreateTable", + "glue:DeleteTable" + ], + "Resource": "*" + } + ] + } +