WAF rules should have CloudWatch metrics enabled

Description

This control verifies whether monitoring metrics have been enabled for a WAFv2 rule group within your cloud-based firewall service. The control will only pass if monitoring metrics are active for the rule group.

Enabling monitoring metrics for WAFv2 rule groups gives you insight into traffic patterns. It allows you to track which rules are activated and to view which requests are allowed or denied. This level of monitoring helps in detecting potentially harmful activities targeting your associated resources.

Please note that AWS WAF Classic rule groups are not evaluated by this control.

Remediation

For guidance on enabling WAFv2 rule group metrics, please refer to the Monitoring with Amazon CloudWatch section in the AWS WAF User Guide.