- Newest
- Most votes
- Most comments
To deploy WAF rules that are managed by Firewall Manager using CDK, you'll need to use both the AWS WAF and AWS Firewall Manager constructs in your CDK code. Here's how you can approach this:
-
First, use the AWS WAF CDK constructs to create your IPSets and WAF rules. These will form the basis of your protection.
-
Then, use the AWS Firewall Manager CDK constructs to create a Firewall Manager policy that references and applies these WAF rules across your organization.
The process typically involves:
- Creating IPSets and rule groups using AWS WAF constructs.
- Creating a Firewall Manager policy using Firewall Manager constructs.
- Associating the WAF rule groups with the Firewall Manager policy.
This approach allows you to define your WAF rules in detail using the WAF-specific constructs, while using Firewall Manager to manage and apply these rules at scale across your AWS organization.
Unfortunately, there aren't many readily available examples of this specific use case using CDK. However, you can refer to the AWS CDK documentation for both WAF and Firewall Manager to understand how to create the necessary resources. You may need to combine examples from both services to achieve your desired setup.
Remember that to use Firewall Manager, you need to meet certain prerequisites, such as having AWS Organizations set up with all features enabled, designating a Firewall Manager administrator account, and enabling AWS Config for all accounts in your organization.
While creating your CDK stack, you will likely use constructs like CfnRuleGroup, CfnIPSet from the WAF module to create your rules, and then use Firewall Manager constructs like CfnPolicy to create policies that reference these rules. The exact implementation will depend on your specific requirements and the complexity of your WAF rules.
Sources
Centrally manage AWS WAF (API v2) and AWS Managed Rules at scale with Firewall Manager | AWS Security Blog
interface IPSetReferenceStatementProperty · AWS CDK
