My CF template does not create all the rules mentioned in the template but does create a few rules. No error message pops up. Someone pls have a look and suggest me a solution. PFA priority list.

0

created image Enter image description here
Enter image description here CF Template:

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security: WAF (Web Application Firewall)'
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
    - Label:
        default: 'WAF Parameters'
      Parameters:
      - Scope
      - RateLimit
      - RateLimitEffect
      - ReputationListEffect
      - BotControlEffect
      - BotControlExcludeRule1
      - BotControlExcludeRule2
      - BotControlExcludeRule3
      - BotControlExcludeRule4
      - BotControlExcludeRule5
      - BotControlExcludeRule6
Parameters:
  KinesisArn:
    Description: 'Kinesis data stream arn that pushes logs to centralised S3 bucket'
    Type: String
    Default: arn:aws:-environment
  Scope:
    Description: 'Specify wether WAF shall be used with CloudFront (us-east-1 only!) or regional (ALB, API Gateway, and AppSync).'
    Type: String
    Default: 'REGIONAL'
    AllowedValues:
    - 'REGIONAL'
    - 'CLOUDFRONT'
  RateLimit:
    Description: 'The maximum number of requests from a single IP address that are allowed in a five-minute period.'
    Type: Number
    Default: 100
    MinValue: 100
    MaxValue: 20000000
  RateLimitEffect:
    Description: 'Block or count requests that exceed the rate limit. Alterantively, disable rate limiting at all.'
    Type: String
    Default: 'Block'
    AllowedValues:
    - 'Disable'
    - 'Block'
    - 'Count'
  ReputationListEffect:
    Description: 'Block or count requests with bad reputation. Alterantively, disable reputation list at all.'
    Type: String
    Default: 'Disable'
    AllowedValues:
    - 'Disable'
    - 'Block'
    - 'Count'
  BotControlEffect:
    Description: 'Block or count requests from bots. Alterantively, disable bot control at all.'
    Type: String
    Default: 'Disable'
    AllowedValues:
    - 'Disable'
    - 'Block'
    - 'Count'
  BotControlExcludeRule1:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule2:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule3:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule4:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule5:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule6:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  CCodes:
    Description: "An array of two-character country codes that you want to match against"
    Type: String
    Default: ""
  KinesisStack:
    Description: 'Kinesis stack for WAF logging'
    Type: String
    Default: 'kinesis-waf'
Conditions:
  EnableRateLimit: !Not [!Equals [!Ref RateLimitEffect, 'Disable']]
  BlockRateLimit: !Equals [!Ref RateLimitEffect, 'Block']
  EnableReputationList: !Not [!Equals [!Ref ReputationListEffect, 'Disable']]
  BlockReputationList: !Equals [!Ref ReputationListEffect, 'Block']
  EnableBotControl: !Not [!Equals [!Ref BotControlEffect, 'Disable']]
  BlockBotControl: !Equals [!Ref BotControlEffect, 'Block']
  HasBotControlExcludeRule1: !Not [!Equals [!Ref BotControlExcludeRule1, '']]
  HasBotControlExcludeRule2: !Not [!Equals [!Ref BotControlExcludeRule2, '']]
  HasBotControlExcludeRule3: !Not [!Equals [!Ref BotControlExcludeRule3, '']]
  HasBotControlExcludeRule4: !Not [!Equals [!Ref BotControlExcludeRule4, '']]
  HasBotControlExcludeRule5: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
  HasBotControlExcludeRule6: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
  EnableGeolocation: !Not [!Equals [!Ref CCodes, ""]]
Resources:
  WebACL:
    Type: 'AWS::WAFv2::WebACL'
    Properties:
      DefaultAction:
        Allow: {}
      Description: !Sub 'A collection of rules for ${AWS::StackName}.'
      Name: !Ref 'AWS::StackName'
      Rules:
      - !If
        - EnableReputationList
        - Name: AWSReputationList
          Priority: 6
          OverrideAction: !If
          - BlockReputationList
          - None: {}
          - Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: AWSReputationList
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesAmazonIpReputationList
        - !Ref 'AWS::NoValue'
      - !If
        - EnableRateLimit
        - Name: RateLimit
          Priority: 4
          Statement:
            RateBasedStatement:
              Limit: !Ref RateLimit
              AggregateKeyType: IP
          Action: !If
          - BlockRateLimit
          - Block: {}
          - Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: RateLimit
        - !Ref 'AWS::NoValue'
      - !If
        - EnableBotControl
        - Name: AWSBotControl
          Priority: 5
          OverrideAction: !If
          - BlockBotControl
          - None: {}
          - Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: AWSBotControl
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesBotControlRuleSet
              ExcludedRules:
              - !If [HasBotControlExcludeRule1, {Name: !Ref BotControlExcludeRule1}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule2, {Name: !Ref BotControlExcludeRule2}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule3, {Name: !Ref BotControlExcludeRule3}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule4, {Name: !Ref BotControlExcludeRule4}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule5, {Name: !Ref BotControlExcludeRule5}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule6, {Name: !Ref BotControlExcludeRule6}, !Ref 'AWS::NoValue']
        - !Ref 'AWS::NoValue'
      - !If
        - EnableGeolocation
        - Name: restrict-country
          Priority: 3
          Statement:
            GeoMatchStatement:
              CountryCodes:
                Fn::Split:
                  - ","
                  - !Ref CCodes
          Action:
            Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: restrict-country
        - !Ref "AWS::NoValue"


      Scope: !Ref Scope
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: !Ref 'AWS::StackName'
        SampledRequestsEnabled: true
Resources:
  MyIPSetdenyb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetb
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllowb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllowb
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRuleb
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenyb
          Priority: 1
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetdenyb.Arn 
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllowb
          Priority: 2
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetAllowb.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true

  WebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      DefaultAction:
        Allow: {}
      Name: waf-acl
      Rules:
        - Name: managed-rule
          OverrideAction:
            None: {}
          Priority: 7
          Statement:
            ManagedRuleGroupStatement:
              Name: AWSManagedRulesCommonRuleSet
              VendorName: AWS
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWSManagedRulesCommonRuleSet
            SampledRequestsEnabled: true
            
            
        - Name: BadInputRuleSet
          OverrideAction:
            None: {}
          Priority: 8
          Statement:
            ManagedRuleGroupStatement:
              Name: AWSManagedRulesKnownBadInputsRuleSet
              VendorName: AWS
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
            SampledRequestsEnabled: true
            
            
        - Name: custom-rule-group
          OverrideAction:
            None: {}
          Priority: 0
          Statement:
            RuleGroupReferenceStatement:
                Arn: !GetAtt MyIPSetRule.Arn
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: custom-rule-group
            SampledRequestsEnabled: true
      Scope: REGIONAL
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-acl
        SampledRequestsEnabled: true
  # WAFLogGroup:
  #   Type: AWS::Logs::LogGroup
  #   Properties:
  #     RetentionInDays: 7
  #     LogGroupName: aws-waf-logs-cidm

  # WafLoggingConfiguration:
  #   Type: AWS::WAFv2::LoggingConfiguration
  #   DependsOn:
  #     - WAFLogGroup
  #   Properties:
  #     ResourceArn: !GetAtt WebACL.Arn
  #     LogDestinationConfigs:
  #     - { "Fn::ImportValue": !Sub "${KinesisStack}-KinesisArn" }
  #     - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-cidm"

Outputs:
  StackName:
    Description: 'Stack name.'
    Value: !Sub '${AWS::StackName}'
  WebACL:
    Description: 'The ARN of the Web ACL.'
    Value: !GetAtt 'WebACL.Arn'
    Export:
      Name: !Sub '${AWS::StackName}-WebACL'
Gowtham
asked 10 months ago320 views
3 Answers
0
Accepted Answer

Hello there, the reason that your CFN template is creating 4 rules only is because of the conditions in your CFN template. If you leave the parameters on Disable (for RateLimitEffect, ReputationListEffect, BotControlEffect) and empty "" for CCodes, these rules will not be created.

Conditions:
  EnableRateLimit: !Not [!Equals [!Ref RateLimitEffect, 'Disable']]
  BlockRateLimit: !Equals [!Ref RateLimitEffect, 'Block']
  EnableReputationList: !Not [!Equals [!Ref ReputationListEffect, 'Disable']]
  BlockReputationList: !Equals [!Ref ReputationListEffect, 'Block']
  EnableBotControl: !Not [!Equals [!Ref BotControlEffect, 'Disable']]
  BlockBotControl: !Equals [!Ref BotControlEffect, 'Block']
  HasBotControlExcludeRule1: !Not [!Equals [!Ref BotControlExcludeRule1, '']]
  HasBotControlExcludeRule2: !Not [!Equals [!Ref BotControlExcludeRule2, '']]
  HasBotControlExcludeRule3: !Not [!Equals [!Ref BotControlExcludeRule3, '']]
  HasBotControlExcludeRule4: !Not [!Equals [!Ref BotControlExcludeRule4, '']]
  HasBotControlExcludeRule5: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
  HasBotControlExcludeRule6: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
  EnableGeolocation: !Not [!Equals [!Ref CCodes, ""]]

Please refer to the screenshots below for the parameters I am referring to.

To resolve this issue, set these parameters to Block/Count and add at least one two letter country code in the CCodes parameter, then the rules will be created. I have run another test of the code, and it does deploy all the 7 rules if the parameters are set correctly when you deploy the CFN template.

Enter image description here

Enter image description here

Screenshot with the parameters set to Count: Enter image description here

AWS
answered 10 months ago
profile picture
EXPERT
Kallu
reviewed 7 months ago
  • Hi there! Yes, it works now. Thank you so much for taking time and helping me out. I am a beginner in CF and yaml. Now, I started to understand CF and yaml template better. Once again this help means a lot for me. Stay blessed and keep sharing knowledge!!!!

0

Hello there, I have corrected the CFN template for you. You currently have two different resource sections with two different WAF web ACL configurations. I have consolidated all the resources under one section and added all the rules under one web ACL. My tests show that the rules are being created as expected. See screenshot below:

Screenshot after deploying CFN template

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security: WAF (Web Application Firewall)'
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
    - Label:
        default: 'WAF Parameters'
      Parameters:
      - Scope
      - RateLimit
      - RateLimitEffect
      - ReputationListEffect
      - BotControlEffect
      - BotControlExcludeRule1
      - BotControlExcludeRule2
      - BotControlExcludeRule3
      - BotControlExcludeRule4
      - BotControlExcludeRule5
      - BotControlExcludeRule6
Parameters:
  KinesisArn:
    Description: 'Kinesis data stream arn that pushes logs to centralised S3 bucket'
    Type: String
    Default: arn:aws:-environment
  Scope:
    Description: 'Specify wether WAF shall be used with CloudFront (us-east-1 only!) or regional (ALB, API Gateway, and AppSync).'
    Type: String
    Default: 'REGIONAL'
    AllowedValues:
    - 'REGIONAL'
    - 'CLOUDFRONT'
  RateLimit:
    Description: 'The maximum number of requests from a single IP address that are allowed in a five-minute period.'
    Type: Number
    Default: 100
    MinValue: 100
    MaxValue: 20000000
  RateLimitEffect:
    Description: 'Block or count requests that exceed the rate limit. Alterantively, disable rate limiting at all.'
    Type: String
    Default: 'Block'
    AllowedValues:
    - 'Disable'
    - 'Block'
    - 'Count'
  ReputationListEffect:
    Description: 'Block or count requests with bad reputation. Alterantively, disable reputation list at all.'
    Type: String
    Default: 'Disable'
    AllowedValues:
    - 'Disable'
    - 'Block'
    - 'Count'
  BotControlEffect:
    Description: 'Block or count requests from bots. Alterantively, disable bot control at all.'
    Type: String
    Default: 'Disable'
    AllowedValues:
    - 'Disable'
    - 'Block'
    - 'Count'
  BotControlExcludeRule1:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule2:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule3:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule4:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule5:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  BotControlExcludeRule6:
    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
    Type: String
    Default: ''
  CCodes:
    Description: "An array of two-character country codes that you want to match against"
    Type: String
    Default: ""
  KinesisStack:
    Description: 'Kinesis stack for WAF logging'
    Type: String
    Default: 'kinesis-waf'
Conditions:
  EnableRateLimit: !Not [!Equals [!Ref RateLimitEffect, 'Disable']]
  BlockRateLimit: !Equals [!Ref RateLimitEffect, 'Block']
  EnableReputationList: !Not [!Equals [!Ref ReputationListEffect, 'Disable']]
  BlockReputationList: !Equals [!Ref ReputationListEffect, 'Block']
  EnableBotControl: !Not [!Equals [!Ref BotControlEffect, 'Disable']]
  BlockBotControl: !Equals [!Ref BotControlEffect, 'Block']
  HasBotControlExcludeRule1: !Not [!Equals [!Ref BotControlExcludeRule1, '']]
  HasBotControlExcludeRule2: !Not [!Equals [!Ref BotControlExcludeRule2, '']]
  HasBotControlExcludeRule3: !Not [!Equals [!Ref BotControlExcludeRule3, '']]
  HasBotControlExcludeRule4: !Not [!Equals [!Ref BotControlExcludeRule4, '']]
  HasBotControlExcludeRule5: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
  HasBotControlExcludeRule6: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
  EnableGeolocation: !Not [!Equals [!Ref CCodes, ""]]
Resources:
  WebACL:
    Type: 'AWS::WAFv2::WebACL'
    Properties:
      DefaultAction:
        Allow: {}
      Description: !Sub 'A collection of rules for ${AWS::StackName}.'
      Name: !Ref 'AWS::StackName'
      Rules:
      
      - !If
        - EnableReputationList
        - Name: AWSReputationList
          Priority: 6
          OverrideAction: !If
          - BlockReputationList
          - None: {}
          - Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: AWSReputationList
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesAmazonIpReputationList
        - !Ref 'AWS::NoValue'
      - !If
        - EnableRateLimit
        - Name: RateLimit
          Priority: 4
          Statement:
            RateBasedStatement:
              Limit: !Ref RateLimit
              AggregateKeyType: IP
          Action: !If
          - BlockRateLimit
          - Block: {}
          - Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: RateLimit
        - !Ref 'AWS::NoValue'
      - !If
        - EnableBotControl
        - Name: AWSBotControl
          Priority: 5
          OverrideAction: !If
          - BlockBotControl
          - None: {}
          - Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: AWSBotControl
          Statement:
            ManagedRuleGroupStatement:
              VendorName: AWS
              Name: AWSManagedRulesBotControlRuleSet
              ExcludedRules:
              - !If [HasBotControlExcludeRule1, {Name: !Ref BotControlExcludeRule1}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule2, {Name: !Ref BotControlExcludeRule2}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule3, {Name: !Ref BotControlExcludeRule3}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule4, {Name: !Ref BotControlExcludeRule4}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule5, {Name: !Ref BotControlExcludeRule5}, !Ref 'AWS::NoValue']
              - !If [HasBotControlExcludeRule6, {Name: !Ref BotControlExcludeRule6}, !Ref 'AWS::NoValue']
        - !Ref 'AWS::NoValue'
      - !If
        - EnableGeolocation
        - Name: restrict-country
          Priority: 3
          Statement:
            GeoMatchStatement:
              CountryCodes:
                Fn::Split:
                  - ","
                  - !Ref CCodes
          Action:
            Count: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: restrict-country
        - !Ref "AWS::NoValue"

      - Name: managed-rule
        OverrideAction:
          None: {}
        Priority: 7
        Statement:
          ManagedRuleGroupStatement:
            Name: AWSManagedRulesCommonRuleSet
            VendorName: AWS
        VisibilityConfig:
          CloudWatchMetricsEnabled: true
          MetricName: AWSManagedRulesCommonRuleSet
          SampledRequestsEnabled: true
            
            
      - Name: BadInputRuleSet
        OverrideAction:
          None: {}
        Priority: 8
        Statement:
          ManagedRuleGroupStatement:
            Name: AWSManagedRulesKnownBadInputsRuleSet
            VendorName: AWS
        VisibilityConfig:
          CloudWatchMetricsEnabled: true
          MetricName: AWS-AWSManagedRulesKnownBadInputsRuleSet
          SampledRequestsEnabled: true
          
            
      - Name: custom-rule-group
        OverrideAction:
          None: {}
        Priority: 0
        Statement:
          RuleGroupReferenceStatement:
              Arn: !GetAtt MyIPSetRule.Arn
        VisibilityConfig:
          CloudWatchMetricsEnabled: true
          MetricName: custom-rule-group
          SampledRequestsEnabled: true

      Scope: !Ref Scope
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: !Ref 'AWS::StackName'
        SampledRequestsEnabled: true

  MyIPSetdenyb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetb
      Description: IP Set to deny access to specific IP addresses
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 192.0.2.44/32
  MyIPSetAllowb:
    Type: AWS::WAFv2::IPSet
    Properties:
      Name: MyIPSetAllowb
      Description: IP Set to deny access to 
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - 10.0.0.0/32
  MyIPSetRule:
    Type: AWS::WAFv2::RuleGroup
    Properties:
      Name: MyIPSetRuleb
      Description: Rule to use IPSet for denial
      Scope: REGIONAL
      Capacity: 1500
      Rules:
        - Action:
            Block: {}
          Name: MyIPSetDenyb
          Priority: 1
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetdenyb.Arn 
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-deny
        - Action:
            Allow: {}
          Name: MyIPSetAllowb
          Priority: 2
          Statement:
            IPSetReferenceStatement:
             Arn: !GetAtt MyIPSetAllowb.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: aws-waf-logs-dev-inf-allow
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: waf-metric
        SampledRequestsEnabled: true
        
  # WAFLogGroup:
  #   Type: AWS::Logs::LogGroup
  #   Properties:
  #     RetentionInDays: 7
  #     LogGroupName: aws-waf-logs-cidm

  # WafLoggingConfiguration:
  #   Type: AWS::WAFv2::LoggingConfiguration
  #   DependsOn:
  #     - WAFLogGroup
  #   Properties:
  #     ResourceArn: !GetAtt WebACL.Arn
  #     LogDestinationConfigs:
  #     - { "Fn::ImportValue": !Sub "${KinesisStack}-KinesisArn" }
  #     - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-cidm"

Outputs:
  StackName:
    Description: 'Stack name.'
    Value: !Sub '${AWS::StackName}'
  WebACL:
    Description: 'The ARN of the Web ACL.'
    Value: !GetAtt 'WebACL.Arn'
    Export:
      Name: !Sub '${AWS::StackName}-WebACL'
AWS
answered 10 months ago
profile picture
EXPERT
Kallu
reviewed 7 months ago
  • Hi, thanks for your effort, I am grateful. Unfortunately, now the modified template create five rules only (IPDeny, IPAllow, RateLimit, CommonRuleSet and KnownBadInputsRule) Missing rules - AWSBotControl, Restrict-Country and ReputationList. I will include the screenshot in the answers section. Kindly help me fixing the last piece of mistake in the template. Thanks a lot for looking into it.

0

cfwaf

Gowtham
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content