- Más nuevo
- Más votos
- Más comentarios
Hello there, the reason that your CFN template is creating 4 rules only is because of the conditions in your CFN template. If you leave the parameters on Disable (for RateLimitEffect, ReputationListEffect, BotControlEffect) and empty "" for CCodes, these rules will not be created.
Conditions:
EnableRateLimit: !Not [!Equals [!Ref RateLimitEffect, 'Disable']]
BlockRateLimit: !Equals [!Ref RateLimitEffect, 'Block']
EnableReputationList: !Not [!Equals [!Ref ReputationListEffect, 'Disable']]
BlockReputationList: !Equals [!Ref ReputationListEffect, 'Block']
EnableBotControl: !Not [!Equals [!Ref BotControlEffect, 'Disable']]
BlockBotControl: !Equals [!Ref BotControlEffect, 'Block']
HasBotControlExcludeRule1: !Not [!Equals [!Ref BotControlExcludeRule1, '']]
HasBotControlExcludeRule2: !Not [!Equals [!Ref BotControlExcludeRule2, '']]
HasBotControlExcludeRule3: !Not [!Equals [!Ref BotControlExcludeRule3, '']]
HasBotControlExcludeRule4: !Not [!Equals [!Ref BotControlExcludeRule4, '']]
HasBotControlExcludeRule5: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
HasBotControlExcludeRule6: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
EnableGeolocation: !Not [!Equals [!Ref CCodes, ""]]
Please refer to the screenshots below for the parameters I am referring to.
To resolve this issue, set these parameters to Block/Count and add at least one two letter country code in the CCodes parameter, then the rules will be created. I have run another test of the code, and it does deploy all the 7 rules if the parameters are set correctly when you deploy the CFN template.
Screenshot with the parameters set to Count:
Hello there, I have corrected the CFN template for you. You currently have two different resource sections with two different WAF web ACL configurations. I have consolidated all the resources under one section and added all the rules under one web ACL. My tests show that the rules are being created as expected. See screenshot below:
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security: WAF (Web Application Firewall)'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'WAF Parameters'
Parameters:
- Scope
- RateLimit
- RateLimitEffect
- ReputationListEffect
- BotControlEffect
- BotControlExcludeRule1
- BotControlExcludeRule2
- BotControlExcludeRule3
- BotControlExcludeRule4
- BotControlExcludeRule5
- BotControlExcludeRule6
Parameters:
KinesisArn:
Description: 'Kinesis data stream arn that pushes logs to centralised S3 bucket'
Type: String
Default: arn:aws:-environment
Scope:
Description: 'Specify wether WAF shall be used with CloudFront (us-east-1 only!) or regional (ALB, API Gateway, and AppSync).'
Type: String
Default: 'REGIONAL'
AllowedValues:
- 'REGIONAL'
- 'CLOUDFRONT'
RateLimit:
Description: 'The maximum number of requests from a single IP address that are allowed in a five-minute period.'
Type: Number
Default: 100
MinValue: 100
MaxValue: 20000000
RateLimitEffect:
Description: 'Block or count requests that exceed the rate limit. Alterantively, disable rate limiting at all.'
Type: String
Default: 'Block'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
ReputationListEffect:
Description: 'Block or count requests with bad reputation. Alterantively, disable reputation list at all.'
Type: String
Default: 'Disable'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
BotControlEffect:
Description: 'Block or count requests from bots. Alterantively, disable bot control at all.'
Type: String
Default: 'Disable'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
BotControlExcludeRule1:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule2:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule3:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule4:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule5:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule6:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
CCodes:
Description: "An array of two-character country codes that you want to match against"
Type: String
Default: ""
KinesisStack:
Description: 'Kinesis stack for WAF logging'
Type: String
Default: 'kinesis-waf'
Conditions:
EnableRateLimit: !Not [!Equals [!Ref RateLimitEffect, 'Disable']]
BlockRateLimit: !Equals [!Ref RateLimitEffect, 'Block']
EnableReputationList: !Not [!Equals [!Ref ReputationListEffect, 'Disable']]
BlockReputationList: !Equals [!Ref ReputationListEffect, 'Block']
EnableBotControl: !Not [!Equals [!Ref BotControlEffect, 'Disable']]
BlockBotControl: !Equals [!Ref BotControlEffect, 'Block']
HasBotControlExcludeRule1: !Not [!Equals [!Ref BotControlExcludeRule1, '']]
HasBotControlExcludeRule2: !Not [!Equals [!Ref BotControlExcludeRule2, '']]
HasBotControlExcludeRule3: !Not [!Equals [!Ref BotControlExcludeRule3, '']]
HasBotControlExcludeRule4: !Not [!Equals [!Ref BotControlExcludeRule4, '']]
HasBotControlExcludeRule5: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
HasBotControlExcludeRule6: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
EnableGeolocation: !Not [!Equals [!Ref CCodes, ""]]
Resources:
WebACL:
Type: 'AWS::WAFv2::WebACL'
Properties:
DefaultAction:
Allow: {}
Description: !Sub 'A collection of rules for ${AWS::StackName}.'
Name: !Ref 'AWS::StackName'
Rules:
- !If
- EnableReputationList
- Name: AWSReputationList
Priority: 6
OverrideAction: !If
- BlockReputationList
- None: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSReputationList
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAmazonIpReputationList
- !Ref 'AWS::NoValue'
- !If
- EnableRateLimit
- Name: RateLimit
Priority: 4
Statement:
RateBasedStatement:
Limit: !Ref RateLimit
AggregateKeyType: IP
Action: !If
- BlockRateLimit
- Block: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: RateLimit
- !Ref 'AWS::NoValue'
- !If
- EnableBotControl
- Name: AWSBotControl
Priority: 5
OverrideAction: !If
- BlockBotControl
- None: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSBotControl
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesBotControlRuleSet
ExcludedRules:
- !If [HasBotControlExcludeRule1, {Name: !Ref BotControlExcludeRule1}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule2, {Name: !Ref BotControlExcludeRule2}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule3, {Name: !Ref BotControlExcludeRule3}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule4, {Name: !Ref BotControlExcludeRule4}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule5, {Name: !Ref BotControlExcludeRule5}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule6, {Name: !Ref BotControlExcludeRule6}, !Ref 'AWS::NoValue']
- !Ref 'AWS::NoValue'
- !If
- EnableGeolocation
- Name: restrict-country
Priority: 3
Statement:
GeoMatchStatement:
CountryCodes:
Fn::Split:
- ","
- !Ref CCodes
Action:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: restrict-country
- !Ref "AWS::NoValue"
- Name: managed-rule
OverrideAction:
None: {}
Priority: 7
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesCommonRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesCommonRuleSet
SampledRequestsEnabled: true
- Name: BadInputRuleSet
OverrideAction:
None: {}
Priority: 8
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesKnownBadInputsRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
SampledRequestsEnabled: true
- Name: custom-rule-group
OverrideAction:
None: {}
Priority: 0
Statement:
RuleGroupReferenceStatement:
Arn: !GetAtt MyIPSetRule.Arn
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: custom-rule-group
SampledRequestsEnabled: true
Scope: !Ref Scope
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: !Ref 'AWS::StackName'
SampledRequestsEnabled: true
MyIPSetdenyb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetb
Description: IP Set to deny access to specific IP addresses
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 192.0.2.44/32
MyIPSetAllowb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetAllowb
Description: IP Set to deny access to
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 10.0.0.0/32
MyIPSetRule:
Type: AWS::WAFv2::RuleGroup
Properties:
Name: MyIPSetRuleb
Description: Rule to use IPSet for denial
Scope: REGIONAL
Capacity: 1500
Rules:
- Action:
Block: {}
Name: MyIPSetDenyb
Priority: 1
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetdenyb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-deny
- Action:
Allow: {}
Name: MyIPSetAllowb
Priority: 2
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetAllowb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-allow
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: waf-metric
SampledRequestsEnabled: true
# WAFLogGroup:
# Type: AWS::Logs::LogGroup
# Properties:
# RetentionInDays: 7
# LogGroupName: aws-waf-logs-cidm
# WafLoggingConfiguration:
# Type: AWS::WAFv2::LoggingConfiguration
# DependsOn:
# - WAFLogGroup
# Properties:
# ResourceArn: !GetAtt WebACL.Arn
# LogDestinationConfigs:
# - { "Fn::ImportValue": !Sub "${KinesisStack}-KinesisArn" }
# - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-cidm"
Outputs:
StackName:
Description: 'Stack name.'
Value: !Sub '${AWS::StackName}'
WebACL:
Description: 'The ARN of the Web ACL.'
Value: !GetAtt 'WebACL.Arn'
Export:
Name: !Sub '${AWS::StackName}-WebACL'
Hi, thanks for your effort, I am grateful. Unfortunately, now the modified template create five rules only (IPDeny, IPAllow, RateLimit, CommonRuleSet and KnownBadInputsRule) Missing rules - AWSBotControl, Restrict-Country and ReputationList. I will include the screenshot in the answers section. Kindly help me fixing the last piece of mistake in the template. Thanks a lot for looking into it.
Contenido relevante
- OFICIAL DE AWSActualizada hace 7 meses
Hi there! Yes, it works now. Thank you so much for taking time and helping me out. I am a beginner in CF and yaml. Now, I started to understand CF and yaml template better. Once again this help means a lot for me. Stay blessed and keep sharing knowledge!!!!