A company is hosting a web application that is sitting behind an Application Load Balancer. You use a WAF web ACL to protect the Application Load Balancer against SQL injection and other types of web layer attacks. You need to enable logging to get detailed information about the traffic that is analyzed by your web ACL. Which of the following would you need to have in place for this requirement to be fulfilled?
Choose 2 options.

Answer options:

A.Enable the web ACL logging in the AWS WAF Console.
B.Use ALB access logs to get detailed information about WAF deny rules.
C.Create an Amazon Kinesis Data Firehose for the WAF logging.
D.Place a Cloudfront distribution behind the ELB.

Answer – A and C
This is mentioned in the AWS Documentation.
You can enable logging to get detailed information about the traffic that is analyzed by your web ACL. Information contained in the logs includes the time that AWS WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched.
To get started, you set up an Amazon Kinesis Data Firehose. As part of that process, you choose a destination for storing your logs. Next, you choose the web ACL that you want to enable logging for. After you enable logging, AWS WAF delivers logs through the firehose to your storage destination.
Option B is incorrect since access logs for the ALB only say that the request was blocked because of WAF - 403 error code. However, it doesn`t provide information on the WAF rules.
Option D is incorrect since you don’t necessarily need to add the Cloudfront distribution for getting the logging information.
For more information on Web Application Firewall logging, please visit the below URL
https://docs.aws.amazon.com/waf/latest/developerguide/logging.html