AWS Certified Security – Specialty — Question 363

A company has an AWS WAF web ACL. According to a new compliance requirement, the company must configure comprehensive logging of all web ACL requests. The company has created an Amazon S3 bucket to store the logs.

Which combination of steps should the company take next to meet this requirement? (Choose two.)

Answer options

• A. Enable logging for the web ACL. Associate the web ACL with the Amazon Kinesis data stream.
• B. Enable logging for the web ACL. Associate the web ACL with the Amazon Kinesis Data Firehose delivery stream.
• C. Configure log filtering for the web ACL. Associate the web ACL with the Amazon Kinesis Data Firehose delivery stream.
• D. Create an Amazon Kinesis data stream in any AWS Region. Specify the S3 bucket as the destination for the data stream.
• E. Create an Amazon Kinesis Data Firehose delivery stream in the same AWS Region as the web ACL. Specify the S3 bucket as the destination for the delivery stream.

Correct answer: B, E

Explanation

To log AWS WAF traffic to Amazon S3, you must use Amazon Kinesis Data Firehose as the delivery mechanism, which must be created in the same AWS Region as the web ACL. After creating the Firehose delivery stream with the S3 bucket as its destination, you must enable logging on the web ACL and associate it with that Firehose stream. Kinesis data streams are not directly used for this WAF logging integration, and log filtering would prevent the comprehensive logging required by compliance.