How to exclude the specific rules in AWS Managed Rule group with CloudFormation

1

Hi all,

I'm using CloudFormation to manage AWS Firewall Policy. Following the document here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html I have defined SecurityServicePolicyData with type WAFV2. Example Code

"ManagedServiceData": "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"

Now I want to exclude one of the rules within AWSManagedRulesCommonRuleSet but I don't see any guidelines or examples to do that. My question is how to exclude one of the rules within AWSManagedRulesCommonRuleSet for example with CloudFormation. ?

Regards,

1 個回答
0
已接受的答案

Hello there,

Please find below an example to exclude a rule from AWS Managed Rule:

{
    "Resources": {
        "PolicyWAFv2": {
            "Type": "AWS::FMS::Policy",
            "Properties": {
                "ExcludeResourceTags": false,
                "PolicyName": "Policy",
                "RemediationEnabled": false,
                "ResourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer",
                "SecurityServicePolicyData": {
                    "Type": "WAFV2",
                    "ManagedServiceData": {
                        "Fn::Sub": "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"
                    }
                }
            }
        }
    }
}
支援工程師
已回答 2 年前
  • Thanks, Zhiyuan

    It works for me.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南