How to exclude the specific rules in AWS Managed Rule group with CloudFormation

1

Hi all,

I'm using CloudFormation to manage AWS Firewall Policy. Following the document here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html I have defined SecurityServicePolicyData with type WAFV2. Example Code

"ManagedServiceData": "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"

Now I want to exclude one of the rules within AWSManagedRulesCommonRuleSet but I don't see any guidelines or examples to do that. My question is how to exclude one of the rules within AWSManagedRulesCommonRuleSet for example with CloudFormation. ?

Regards,

1 Answer
0
Accepted Answer

Hello there,

Please find below an example to exclude a rule from AWS Managed Rule:

{
    "Resources": {
        "PolicyWAFv2": {
            "Type": "AWS::FMS::Policy",
            "Properties": {
                "ExcludeResourceTags": false,
                "PolicyName": "Policy",
                "RemediationEnabled": false,
                "ResourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer",
                "SecurityServicePolicyData": {
                    "Type": "WAFV2",
                    "ManagedServiceData": {
                        "Fn::Sub": "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"
                    }
                }
            }
        }
    }
}
SUPPORT ENGINEER
answered 2 years ago
  • Thanks, Zhiyuan

    It works for me.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions