1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
The following part is probably incorrect.
Name: AWS-AWSManagedRulesKnownBadInputsRuleSet
The correct answer should be as follows.
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html
Name: AWSManagedRulesKnownBadInputsRuleSet
So, overall, it looks like this.
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyIPSetdenyb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetb
Description: IP Set to deny access to specific IP addresses
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 192.0.2.44/32
MyIPSetAllowb:
Type: AWS::WAFv2::IPSet
Properties:
Name: MyIPSetAllowb
Description: IP Set to deny access to
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 10.0.0.0/32
MyIPSetRule:
Type: AWS::WAFv2::RuleGroup
Properties:
Name: MyIPSetRuleb
Description: Rule to use IPSet for denial
Scope: REGIONAL
Capacity: 1500
Rules:
- Action:
Block: {}
Name: MyIPSetDenyb
Priority: 0
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetdenyb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-deny
- Action:
Allow: {}
Name: MyIPSetAllowb
Priority: 1
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSetAllowb.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: aws-waf-logs-dev-inf-allow
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: waf-metric
SampledRequestsEnabled: true
WebACL:
Type: AWS::WAFv2::WebACL
Properties:
DefaultAction:
Allow: {}
Name: waf-acl
Rules:
- Name: managed-rule
OverrideAction:
None: {}
Priority: 0
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesCommonRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesCommonRuleSet
SampledRequestsEnabled: true
- Name: BadInputRuleSet
OverrideAction:
None: {}
Priority: 1
Statement:
ManagedRuleGroupStatement:
Name: AWSManagedRulesKnownBadInputsRuleSet
VendorName: AWS
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
SampledRequestsEnabled: true
- Name: custom-rule-group
OverrideAction:
None: {}
Priority: 2
Statement:
RuleGroupReferenceStatement:
Arn: !GetAtt MyIPSetRule.Arn
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: custom-rule-group
SampledRequestsEnabled: true
Scope: REGIONAL
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: waf-acl
SampledRequestsEnabled: true
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 7 months ago
it resolved, thanks Riku Kobayashi!!