How to configure Athena for AWS WAF logs


Hi, cyber security fans.

It is very useful to analyse AWS WAF logs from time to time, and Athena is the great tool for that. I partially describe how to use it here. Below is the video tutorial lecture from my course “DevSecOps: How to secure Web App with AWS WAF and CloudWatch“, where I explain how to provide according Athena configuration.

If you prefer to read, then here are steps you need to provide for initial Athena-WAF configuration:

  • Create a s3 bucket for keeping Athena results. Here is the link to aws documentation how to do it
  • Go to the AWS console, find Athena service -> then click at settings tab and provide the name of the just created s3 bucket
  • Create a table scheme for AWS WAF S3 logs in Athena. Here is how to do it according to official documentation. Let me make accent for you the most essential parts:

“AWS WAF logs include information about the traffic that is analyzed by your web ACL, such as the time that AWS WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched.” 

Because AWS WAF logs have a known structure whose partition scheme you can specify in advance, you can reduce query runtime and automate partition management by using the Athena partition projection feature

  • so, copy next query, as it is provided at screen below, and paste at Athena query editor
  • change change location and storage.location.template at query at your values. To understand better where to take according values, it is better to view WAF logs S3 bucket by itself. After setting your values – apply query
  • If you did all properly the run should finish with success, and now you have to see the waf_logs table at the data tab. You may expand it and see all available fields.

That’s all. Take my congratulations. 🙂

Below are the links to the page courses with coupons, where you can find a lot of useful and, first of all, practical information about AWS:

architecture AWS cluster cyber-security devops devops-basics docker elasticsearch flask geo high availability java machine learning opensearch php programming languages python recommendation systems search systems spring boot symfony