Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS WAF Ruleset with Multple Rules with Cloudformation

0

I am trying to configure an AWS WAF WebACL using cloud formation. I have been successful in creating a WEBACL with a single rule defined in the AWS::WAFv2::WebACL Rules statement, but as soon as I try to define two or more rules only the last rule in the block is created. There are no errors but I only get the final rule in the block. Does anyone have an example of deploying a WebACL with multiple rules?

The required ruleset is:

  1. IP deny rule with priority 0 and referenced IPset
  2. IP allow rule with priority 1 and referenced IPset
  3. Geolocation rule to restrict to GB and allow

Example code block:

"Rules":[
                {
                    "Name": "IPSetDeny",
                    "Priority": 0,
                    "Statement": {
                      "IPSetReferenceStatement": {"ARN": { "Fn::GetAtt" : ["SampleIPSetDeny", "Arn" ]}}
                    },
                    "Action": {
                      "Block": {}
                    },
                    "VisibilityConfig": {
                      "SampledRequestsEnabled": true,
                      "CloudWatchMetricsEnabled": true,
                      "MetricName": "aws-waf-logs-dev-inf"
                    },
                    "Name": "IPSetAllow",
                    "Priority": 1,
                    "Statement": {
                      "IPSetReferenceStatement": {"ARN": { "Fn::GetAtt" : ["SampleIPSetAllow", "Arn" ]}}
                    },
                    "Action": {
                      "Allow": {}
                    },
                    "VisibilityConfig": {
                      "SampledRequestsEnabled": true,
                      "CloudWatchMetricsEnabled": true,
                      "MetricName": "aws-waf-logs-dev-inf"
                    },
                    "Name": "restrict-country",
                    "Priority": 2,
                    "Statement": {
                      "GeoMatchStatement": {
                        "CountryCodes": [
                          "GB"
                        ]
                      }
                    },
                    "Action": {
                      "Allow": {}
                    },
                    "VisibilityConfig": {
                      "SampledRequestsEnabled": true,
                      "CloudWatchMetricsEnabled": true,
                      "MetricName": "aws-waf-logs-dev-inf"
                    } 
                  }
                
                ]
Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS WAFAWS CloudFormation
Sprache
English
Simon Cox
gefragt vor 2 Jahren832 Aufrufe
2 Antworten
0
Akzeptierte Antwort

Hi, @Simon Cox

Your description describes only one Rule object for Rules.
It is unknown how CloudFormation interprets it, but it may have been overwritten by the last block.

I think you should write multiple Rules in the form of an array in Rules as follows.

"Rules": [
    {
        "Name": "IPSetDeny",
        "Priority": 0,
        "Statement": {
            "IPSetReferenceStatement": {
                "ARN": {
                    "Fn::GetAtt": [
                        "SampleIPSetDeny",
                        "Arn"
                    ]
                }
            }
        },
        "Action": {
            "Block": {}
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "aws-waf-logs-dev-inf"
        }
    },
    {
        "Name": "IPSetAllow",
        "Priority": 1,
        "Statement": {
            "IPSetReferenceStatement": {
                "ARN": {
                    "Fn::GetAtt": [
                        "SampleIPSetAllow",
                        "Arn"
                    ]
                }
            }
        },
        "Action": {
            "Allow": {}
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "aws-waf-logs-dev-inf"
        }
    },
    {
        "Name": "restrict-country",
        "Priority": 2,
        "Statement": {
            "GeoMatchStatement": {
                "CountryCodes": [
                    "GB"
                ]
            }
        },
        "Action": {
            "Allow": {}
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "aws-waf-logs-dev-inf"
        }
    }
]
profile picture
EXPERTE
iwasa
beantwortet vor 2 Jahren
0

Hi @Iwasa thanks for your comment you were quite correct. I have used your example of an array of rules that my code is now working.

Simon Cox
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt