- Newest
- Most votes
- Most comments
Hello.
Managed rules cannot be configured for WAF rule groups.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-statement.html
In other words, the following parts cannot be set within a rule group.
- Action:
Allow: {}
Name: ManagedRuleGroupRule
Priority: 2
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: !Ref MyManagedRuleGroup
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
If it is to be set, it must be set in the Web ACL.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html#cfn-wafv2-webacl-rules
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-rule.html#cfn-wafv2-webacl-rule-statement
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-statement.html
I created a sample template.
This template will create a Web ACL.
It also sets "AWSManagedRulesCommonRuleSet" as the managed rules.
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyIPSetdenyb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetb
Description: IP Set to deny access to specific IP addresses
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 192.0.2.44/32
MyIPSetAllowb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetAllowb
Description: IP Set to deny access to
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 10.0.0.0/32
MyIPSetRule:
Type: AWS::WAFv2::RuleGroup
Properties:
Name: MyIPSetRuleb
Description: Rule to use IPSet for denial
Scope: REGIONAL
Capacity: 1500
Rules:
- Action:
Block: {}
Name: MyIPSetDenyb
Priority: 0
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetdenyb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-deny
- Action:
Allow: {}
Name: MyIPSetAllowb
Priority: 1
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetAllowb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-allow
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: waf-metric
SampledRequestsEnabled: true
WebACL:
Type: AWS::WAFv2::WebACL
Properties:
DefaultAction:
Allow: {}
Name: waf-acl
Rules:
- Name: managed-rule
OverrideAction:
None: {}
Priority: 0
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesCommonRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesCommonRuleSet
SampledRequestsEnabled: true
- Name: custom-rule-group
OverrideAction:
None: {}
Priority: 1
Statement:
RuleGroupReferenceStatement:
Arn: !GetAtt MyIPSetRule.Arn
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: custom-rule-group
SampledRequestsEnabled: true
Scope: REGIONAL
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: waf-acl
SampledRequestsEnabled: true
Relevant content
AWS OFFICIALUpdated 2 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- I tried to delete my ACM certificate but received an error that it's in use with other AWS resourcesAWS OFFICIALUpdated a year ago
Hi Riku, I am not aware that Managed rules cannot be configured for WAF rule groups. Thanks for sharing. I will draft my template with the sample one you have given. Again you are the best! Thanks!!!