By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Hi, I tried to include one more rule (AWSManagedRulesKnownBadInputsRuleSet) in my CF template . It resulted in multiple errors and I resolved them but I couldn't resolve one last error. Kindly help.

0

CODE USED:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenyb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetb
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllowb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllowb
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRuleb
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenyb
          Priority: 0
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetdenyb.Arn 
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllowb
          Priority: 1
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetAllowb.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true

  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      DefaultAction:
        Allow: {}
      Name: waf-acl
      Rules:
        - Name: managed-rule
          OverrideAction:
            None: {}
          Priority: 0
          Statement:
            ManagedRuleGroupStatement:
              Name: AWSManagedRulesCommonRuleSet
              VendorName: AWS
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWSManagedRulesCommonRuleSet
            SampledRequestsEnabled: true
            
            
        - Name: BadInputRuleSet
          OverrideAction:
            None: {}
          Priority: 1
          Statement:
            ManagedRuleGroupStatement:
              Name: AWS-AWSManagedRulesKnownBadInputsRuleSet
              VendorName: AWS
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
            SampledRequestsEnabled: true
            
            
        - Name: custom-rule-group
          OverrideAction:
            None: {}
          Priority: 2
          Statement:
            RuleGroupReferenceStatement:
                Arn: !GetAtt MyIPSetRule.Arn
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: custom-rule-group
            SampledRequestsEnabled: true
      Scope: REGIONAL
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-acl
        SampledRequestsEnabled: true

ERROR MESSAGE: Resource handler returned message: "AWS WAF couldn?t perform the operation because your resource doesn?t exist. (Service: Wafv2, Status Code: 400, Request ID: 8162f1d4-bc7a-431f-8739-304c4412a632)" (RequestToken: 6e199fdd-fa4e-38fa-8052-452dc4a1ca03, HandlerErrorCode: NotFound)

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
Gowtham
asked 9 months ago237 views
1 Answer
0
Accepted Answer

Hello.
The following part is probably incorrect.

Name: AWS-AWSManagedRulesKnownBadInputsRuleSet

The correct answer should be as follows.
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html

Name: AWSManagedRulesKnownBadInputsRuleSet

So, overall, it looks like this.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyIPSetdenyb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetb
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllowb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllowb
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRuleb
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenyb
          Priority: 0
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetdenyb.Arn 
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllowb
          Priority: 1
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetAllowb.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true

  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      DefaultAction:
        Allow: {}
      Name: waf-acl
      Rules:
        - Name: managed-rule
          OverrideAction:
            None: {}
          Priority: 0
          Statement:
            ManagedRuleGroupStatement:
              Name: AWSManagedRulesCommonRuleSet
              VendorName: AWS
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWSManagedRulesCommonRuleSet
            SampledRequestsEnabled: true
            
            
        - Name: BadInputRuleSet
          OverrideAction:
            None: {}
          Priority: 1
          Statement:
            ManagedRuleGroupStatement:
              Name: AWSManagedRulesKnownBadInputsRuleSet
              VendorName: AWS
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
            SampledRequestsEnabled: true
            
            
        - Name: custom-rule-group
          OverrideAction:
            None: {}
          Priority: 2
          Statement:
            RuleGroupReferenceStatement:
                Arn: !GetAtt MyIPSetRule.Arn
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: custom-rule-group
            SampledRequestsEnabled: true
      Scope: REGIONAL
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-acl
        SampledRequestsEnabled: true
profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
  • Gowtham
    9 months ago

    it resolved, thanks Riku Kobayashi!!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content