# Imperva Cloud WAF Imperva Cloud WAF is a cloud-delivered web application firewall that protects internet-facing applications from threats such as SQL injection, cross-site scripting, credential stuffing, automated bot abuse, and volumetric DDoS attacks. Connecting Imperva Cloud WAF forwards security and access logs to Radiant Security via Amazon S3. Radiant uses these logs to correlate external attack attempts against your web applications with downstream identity, endpoint, and authentication signals during AI triage, giving analysts the full attack chain behind every alert. This integration supports all Imperva Cloud Application Security services, including Cloud WAF, Attack Analytics, Advanced Bot Protection, Account Takeover Protection, Client-Side Protection, and DDoS Protection. Customers who used Imperva's legacy Incapsula product configure the integration the same way. ### Prerequisites * [ ] An AWS account with permissions to create or modify S3 buckets, SNS topics, and IAM policies * [ ] Administrator access to the Imperva Cloud Application Security portal * [ ] An S3 bucket where Imperva will store logs (follow [Create an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) to create one) * [ ] An AWS Access Key ID and Secret Access Key with `s3:PutObject` permission on the bucket * [ ] Imperva's source IP ranges allow-listed on your AWS account (see [Imperva's IP allow-list documentation](https://docs-cybersec.thalesgroup.com/bundle/z-kb-articles-knowledgebase-support/page/290228110.html)) * [ ] Administrator role in Radiant Security ### Configure Imperva Cloud WAF For full vendor instructions, see [Imperva SIEM Log Configuration](https://docs.imperva.com/bundle/cloud-application-security/page/siem-log-configuration.htm). {% stepper %} {% step %} #### Add the S3 connection in Imperva 1. Sign in to the [Imperva Cloud Application Security portal](https://my.imperva.com/). 2. On the top menu bar, click **Account** > **Account Management**. 3. Navigate to **SIEM Logs** > **Log Configuration**. 4. Click **Add Connection** and select **Amazon S3** as the storage type. 5. Configure the connection: * **Connection Name**: `Radiant Security S3` * **Access Key**: your AWS Access Key ID with `s3:PutObject` permission * **Secret Key**: your AWS Secret Access Key * **Path**: your bucket name with a prefix (e.g., `your-bucket-name/cloudwaf`) * **Format**: select `.cef` if available * **Compress logs**: select **Yes** if available 6. Click **Test Connection** to verify, then click **Save**. {% endstep %} {% step %} #### Enable logging for subscribed services The available services in this section depend on your Imperva subscription. If the section is not visible, skip this step. 1. In the **Connections** table, expand the connection you created and click **Edit**. 2. For every service listed under **Select Services**, set: * **Log Types**: all available log types * **Format**: select `.json` or `.cef` (preferably `.json`) * **State**: Enabled 3. Click **Save**. {% endstep %} {% step %} #### Record your configuration details You will need the following values when you set up the Radiant side: * S3 bucket name * S3 bucket path or prefix (e.g., `imperva/` or `cloudwaf/`) * AWS region where your bucket is located {% endstep %} {% endstepper %} ### Configure S3 and add the data connector in Radiant Security Now that Imperva is writing logs to your S3 bucket, complete the setup by following the [Configure Amazon S3 to forward logs to Radiant Security](/radiant-connectors/data-connectors/configure-amazon-s3-to-forward-logs-to-radiant-security.md) guide. That guide walks through: 1. Configuring the bucket policy and creating an SNS topic. 2. Adding the **Amazon Web Services S3** data connector in Radiant Security. 3. Configuring S3 event notifications so new objects trigger ingestion. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/imperva-cloud-waf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.