Ensure Network firewall alerts logging is enabled


Network firewall ALERT logs provide detailed information about any alert that was triggered because of network traffic that went through the stateful engine of your firewall. In order to investigate security incidents, you must enable alert logs of the network firewall.


From Portal:
1. Sign in to the AWS Management Console and open the Amazon VPC console.
2. In the navigation panel, under Network Firewall, choose Firewalls.
3. In the Firewalls page, choose the name of the firewall that you want to edit.
4. Choose the tab Firewall details, then in the Logging section, choose Edit.
5. Adjust the Log type selections as needed. You can configure logging for alert and flow logs.(Alert: Sends logs for traffic that matches any stateful rule whose action is set to Alert or Drop. For more information about stateful rules and rule groups, see Rule groups in AWS Network Firewall.)
6. For each selected log type, choose the destination type, then provide the information for the logging destination that you prepared following the guidance in Firewall logging destinations. In order to change the destination for an existing Log type, you must first turn off logging for the policy. Then, edit the policy and specify the new destination(s) for the Log type.
7. Choose Save to save your changes and return to the firewall’s detail page.

From TF:
resource aws_networkfirewall_logging_configuration” “example” {
logging_configuration {
log_destination_config {
– log_type = “FLOW”
+ log_type = “ALERT”

From Command Line:
In order to set Networks firewall alerts logging use to following CLI command:
aws network-firewall update-logging-configuration –firewall-arn FW_ARN –logging-configuration LogDestinationConfigs=


AWS Network Firewall





We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!