2 Answers
- Newest
- Most votes
- Most comments
1
Hello.
For now, I tried deleting only the Allow rule, so could you try this?
If you get an error, could you please share the details of the error?
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security: WAF (Web Application Firewall)'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'WAF Parameters'
Parameters:
- Scope
- RateLimit
- RateLimitEffect
- ReputationListEffect
- BotControlEffect
- BotControlExcludeRule1
- BotControlExcludeRule2
- BotControlExcludeRule3
- BotControlExcludeRule4
- BotControlExcludeRule5
- BotControlExcludeRule6
Parameters:
KinesisArn:
Description: 'Kinesis data stream arn that pushes logs to centralised S3 bucket'
Type: String
Default: arn:aws:firehose:eu-west-1:062459989335:deliverystream/aws-waf-logs-siem-environment
Scope:
Description: 'Specify wether WAF shall be used with CloudFront (us-east-1 only!) or regional (ALB, API Gateway, and AppSync).'
Type: String
Default: 'REGIONAL'
AllowedValues:
- 'REGIONAL'
- 'CLOUDFRONT'
RateLimit:
Description: 'The maximum number of requests from a single IP address that are allowed in a five-minute period.'
Type: Number
Default: 100
MinValue: 100
MaxValue: 20000000
RateLimitEffect:
Description: 'Block or count requests that exceed the rate limit. Alterantively, disable rate limiting at all.'
Type: String
Default: 'Block'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
ReputationListEffect:
Description: 'Block or count requests with bad reputation. Alterantively, disable reputation list at all.'
Type: String
Default: 'Disable'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
BotControlEffect:
Description: 'Block or count requests from bots. Alterantively, disable bot control at all.'
Type: String
Default: 'Disable'
AllowedValues:
- 'Disable'
- 'Block'
- 'Count'
BotControlExcludeRule1:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule2:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule3:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule4:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule5:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
BotControlExcludeRule6:
Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
Type: String
Default: ''
CCodes:
Description: "An array of two-character country codes that you want to match against"
Type: String
Default: ""
KinesisStack:
Description: 'Kinesis stack for WAF logging'
Type: String
Default: 'kinesis-waf'
Conditions:
EnableRateLimit: !Not [!Equals [!Ref RateLimitEffect, 'Disable']]
BlockRateLimit: !Equals [!Ref RateLimitEffect, 'Block']
EnableReputationList: !Not [!Equals [!Ref ReputationListEffect, 'Disable']]
BlockReputationList: !Equals [!Ref ReputationListEffect, 'Block']
EnableBotControl: !Not [!Equals [!Ref BotControlEffect, 'Disable']]
BlockBotControl: !Equals [!Ref BotControlEffect, 'Block']
HasBotControlExcludeRule1: !Not [!Equals [!Ref BotControlExcludeRule1, '']]
HasBotControlExcludeRule2: !Not [!Equals [!Ref BotControlExcludeRule2, '']]
HasBotControlExcludeRule3: !Not [!Equals [!Ref BotControlExcludeRule3, '']]
HasBotControlExcludeRule4: !Not [!Equals [!Ref BotControlExcludeRule4, '']]
HasBotControlExcludeRule5: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
HasBotControlExcludeRule6: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
EnableGeolocation: !Not [!Equals [!Ref CCodes, ""]]
Resources:
WebACL:
Type: 'AWS::WAFv2::WebACL'
Properties:
DefaultAction:
Allow: {}
Description: !Sub 'A collection of rules for ${AWS::StackName}.'
Name: !Ref 'AWS::StackName'
Rules:
- !If
- EnableReputationList
- Name: AWSReputationList
Priority: 6
OverrideAction: !If
- BlockReputationList
- None: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSReputationList
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAmazonIpReputationList
- !Ref 'AWS::NoValue'
- !If
- EnableRateLimit
- Name: RateLimit
Priority: 4
Statement:
RateBasedStatement:
Limit: !Ref RateLimit
AggregateKeyType: IP
Action: !If
- BlockRateLimit
- Block: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: RateLimit
- !Ref 'AWS::NoValue'
- !If
- EnableBotControl
- Name: AWSBotControl
Priority: 5
OverrideAction: !If
- BlockBotControl
- None: {}
- Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSBotControl
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesBotControlRuleSet
ExcludedRules:
- !If [HasBotControlExcludeRule1, {Name: !Ref BotControlExcludeRule1}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule2, {Name: !Ref BotControlExcludeRule2}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule3, {Name: !Ref BotControlExcludeRule3}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule4, {Name: !Ref BotControlExcludeRule4}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule5, {Name: !Ref BotControlExcludeRule5}, !Ref 'AWS::NoValue']
- !If [HasBotControlExcludeRule6, {Name: !Ref BotControlExcludeRule6}, !Ref 'AWS::NoValue']
- !Ref 'AWS::NoValue'
- !If
- EnableGeolocation
- Name: restrict-country
Priority: 3
Statement:
GeoMatchStatement:
CountryCodes:
Fn::Split:
- ","
- !Ref CCodes
Action:
Count: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: restrict-country
- !Ref "AWS::NoValue"
- Name: managed-rule
OverrideAction:
None: {}
Priority: 7
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesCommonRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesCommonRuleSet
SampledRequestsEnabled: true
- Name: BadInputRuleSet
OverrideAction:
None: {}
Priority: 8
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesKnownBadInputsRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
SampledRequestsEnabled: true
- Name: custom-rule-group
OverrideAction:
None: {}
Priority: 0
Statement:
RuleGroupReferenceStatement:
Arn: !GetAtt MyIPSetRule.Arn
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: custom-rule-group
SampledRequestsEnabled: true
Scope: !Ref Scope
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: !Ref 'AWS::StackName'
SampledRequestsEnabled: true
MyIPSetdenyb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetb
Description: IP Set to deny access to specific IP addresses
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 3.139.72.126/32
- 3.140.199.191/32
MyIPSetRule:
Type: AWS::WAFv2::RuleGroup
Properties:
Name: MyIPSetRuleb
Description: Rule to use IPSet for denial
Scope: REGIONAL
Capacity: 10
Rules:
- Action:
Block: {}
Name: MyIPSetDenyb
Priority: 1
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetdenyb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-deny
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: waf-metric
SampledRequestsEnabled: true
WAFLogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 7
LogGroupName: aws-waf-logs-cidm
WafLoggingConfiguration:
Type: AWS::WAFv2::LoggingConfiguration
DependsOn:
- WAFLogGroup
Properties:
ResourceArn: !GetAtt WebACL.Arn
LogDestinationConfigs:
- { "Fn::ImportValue": !Sub "${KinesisStack}-KinesisArn" }
- !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-cidm"
Outputs:
StackName:
Description: 'Stack name.'
Value: !Sub '${AWS::StackName}'
WebACL:
Description: 'The ARN of the Web ACL.'
Value: !GetAtt 'WebACL.Arn'
Export:
Name: !Sub '${AWS::StackName}-WebACL'
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
Thanks a lot!! Let me check and get back to you.
below screenshot is the error I ended up with, kindly have a look.
Thank you for sharing the error. The problem seems to be in the following part. I can't seem to find any other stacks that export "kinesis-waf-KinesisArn". Does an export named "kinesis-waf-KinesisArn" exist?
Hi, thanks for replying. No, there is no export named "kinesis-waf-KinesisArn" What do you suggest here please?
In that case, I think it can be resolved by commenting out or deleting the line as shown below. I don't know your configuration, so I'm just guessing, but I think you're setting up WAF with something called "KinesisStack". I think this is the WAF logging setting set in "KinesisStack", so you can delete it if it is unnecessary, and if necessary, you will need to set the WAF ARN.