Having the ability to monitor the status and effectiveness of your web ACL can offer some useful data to help you protect your web application infrastructure, as well as help in incident resolution.

Once your web ACL is configured you have the ability to enable logging which will allow you to store detailed information about all requests managed and handled by your web ACL.

As a prerequisite to configuring this logging feature, you must have Amazon Kinesis Firehose configured that starts with aws-waf-logs-. Kinesis Firehose is a service which is used to control and deliver real-time streaming data to storage services. As a part of enabling and configuring logging for your Web ACL you can select a storage service to store your data, for example, Amazon S3.  

In addition to using the logging feature which will capture metadata about all requests processed by your Web ACL, it also integrates well with Amazon CloudWatch.  

The AWS WAF metrics currently supported by CloudWatch include:

• AllowedRequests
• BlockedRequests
• CountedRequests
• PassedRequests

They are all self-explanatory, the first three simply count the number of requests that have either been allowed, blocked, or counted (relating to the action of the rule within the web ACL). The final metric is another sum of the number of requests that didn't match any rule within the web ACL and therefore took the default action of the web ACL.