Skip to content
Ask AI about this
Help improve this page

WAFv2 rules should have CloudWatch metrics enabled

WAF rules without CloudWatch metrics are invisible to your monitoring stack. You cannot alert on blocked requests, track rule match rates, or detect attack patterns if metrics collection is disabled. A rule could silently stop matching traffic due to a misconfiguration and you would have no signal to investigate.

CloudWatch metrics from WAF feed into dashboards and anomaly detection alarms. Disabling them cuts the only near-real-time feedback loop on whether your web application firewall is actually doing anything.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_wafv2_rule_group.

resource "aws_wafv2_rule_group" "this" {
  capacity = 10
  name     = "pofix-abc123"
  scope    = "REGIONAL"

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "pofix-example-metric"
    sampled_requests_enabled   = true
  }
}

What this control checks

The control checks every aws_wafv2_rule_group resource for a visibility_config block with cloudwatch_metrics_enabled = true. The block also takes metric_name and sampled_requests_enabled, but only cloudwatch_metrics_enabled is evaluated here. Setting it to false fails the check. Individual rules inside a rule group each carry their own visibility_config, and that per-rule setting is checked independently from the group-level one. For aws_wafv2_web_acl resources, both the top-level visibility_config and each inline rule's visibility_config must have cloudwatch_metrics_enabled = true.

Common pitfalls

  • Per-rule visibility_config omission

    Setting cloudwatch_metrics_enabled = true at the rule group level does not propagate to individual rules inside it. Each rule block maintains its own visibility_config, and if that block is missing or has metrics disabled, the control flags it independently. Check every rule block, not just the top-level group config.

  • Duplicate metric_name values in the same WAF context

    Use a unique metric_name per rule within the same Web ACL or rule group. Reusing names in the same container makes CloudWatch metrics ambiguous and dashboards unreliable. Terraform won't always catch naming collisions at plan time, so enforce a naming convention and validate it explicitly before apply.

  • Web ACL rules also need metrics enabled

    If you're remediating this control and only touching aws_wafv2_rule_group resources, you may still get flagged. Rules defined inline in aws_wafv2_web_acl blocks each carry their own visibility_config, and those are evaluated independently. Review both resource types.

Audit evidence

Auditors typically want AWS Config rule evaluation results showing all WAFv2 rule groups as COMPLIANT, or equivalent output from a CSPM tool scanning the same property. Console screenshots from the AWS WAF console confirming the "CloudWatch metrics" toggle is enabled under each rule group's visibility configuration section also satisfy this.

Supplementary evidence includes CloudWatch metric namespace listings under AWS/WAFV2 showing active metric streams per rule group, confirming metrics are actually flowing. CloudTrail CreateRuleGroup and UpdateRuleGroup logs showing the VisibilityConfig payload at creation or modification time round out the picture.

Framework-specific interpretation

SOC 2: CC7.2 wants evidence that system components are monitored for anomalies. CloudWatch metrics from WAF rules supply the data needed to trigger alerts on unusual request patterns, contributing to the detection component of the monitoring criteria.

PCI DSS v4.0: Requirement 6.4 mandates protection and active monitoring of public-facing web applications. Without CloudWatch metrics enabled, there's no observable record of which WAF rules are firing, making it difficult to demonstrate continuous inspection to a QSA.

HIPAA Omnibus Rule 2013: 45 CFR 164.312(b) calls for audit controls on systems handling ePHI. Web-facing applications that process or transmit protected health information are in scope, and WAF CloudWatch metrics supply the access-attempt visibility that supports that requirement.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: wafv2_rule_group_logging_enabled

  • AWS Config Managed Rule: WAFV2_RULEGROUP_LOGGING_ENABLED

  • Powerpipe Control: aws_compliance.control.wafv2_rule_group_logging_enabled

  • Prowler Check: wafv2_webacl_rule_logging_enabled

  • AWS Security Hub Control: WAF.12

  • KICS Query: 081069cb-588b-4ce1-884c-2a1ce3029fe5

Last reviewed: 2026-03-09