Stacktape
Stacktape


Web App Firewall

This example shows a basic web app firewall configuration.

Web Application Firewall resource

  • You can use firewall to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.

Basic example

resources:
myWebAppFirewall:
type: web-app-firewall
properties:
# Specifies whether this firewall is to be used with CDN or with regional resources
#
# - Use `cdn` if you wish to use firewall with CDN - CDN can be enabled on resources such as HTTP API Gateway, Bucket, Application load balancer or Web Service.
# - Use `regional` if you wish to use firewall directly with one of the following resources: Application load balancer, User Pool or Web Service
#
# - Type: enum: [cdn, regional]
# - Required: true
# - Allowed values: [cdn, regional]
scope: cdn
# Default action for the firewall if no rule matches
#
# - `Allow` – If you want to allow most users to access your website, but you want to block access to attackers whose requests originate from specified IP addresses,
# or whose requests appear to contain malicious SQL code or specified values, choose Allow for the default action. Then, when you add rules to your firewall, add
# rules that identify and block the specific requests that you want to block.
# - `Block` – If you want to prevent most users from accessing your website, but you want to allow access to users whose requests originate from specified IP addresses,
# or whose requests contain specified values, choose Block for the default action. Then when you add rules to your firewall, add rules that identify and allow the
# specific requests that you want to allow in. By default, for the Block action, the AWS resource responds with an HTTP 403 (Forbidden) status code.
# the response.
#
# - Type: enum: [Allow, Block]
# - Required: false
# - Default: 'Allow'
# - Allowed values: [Allow, Block]
defaultAction: 'Allow'
# List of rules to be used by the firewall
#
# Rule can be a reference to **managed-rule-group** or user defined **custom-rule-group** or **rate-based-rule**.
# - **managed-rule-group**
# - references rule group pre-created by AWS or other vendors for specific use cases.
# - referenced by `name` and `vendorName`,
# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)
# - **custom-rule-group**
# - references custom rule group created by you.
# - referenced by rule group's `arn`
# - **rate-based-rule**
# - tracks the rate of requests for each originating IP address, and triggers the rule action when the rate
# exceeds a limit that you specify on the number of requests in any 5-minute time span
# - you can use this to put a temporary block on requests from an IP address that is sending excessive requests.
# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)
#
# - If you do not specify any rules, the stacktape will use managed rule groups `AWSManagedRulesCommonRuleSet` and `AWSManagedRulesKnownBadInputsRuleSet` to protect your application.
#
# - Type: array<union (anyOf)>
# - Required: false
rules:
# Array of objects
# A map of custom response keys and content bodies
#
# When you create a rule with a block action, you can send a custom response to the web request. You
# define these for the firewall, and then use them in the rules and default actions
# that you define.
#
# - Type: object
# - Required: false
# Determines how long (in seconds) a solved CAPTCHA challenge (after triggered rule's `Captcha` action) remains valid. [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/waf-tokens-immunity-times.html)
#
#
# - Type: number
# - Required: false
# - Default: 300
captchaImmunityTime: 300
# Determines how long (in seconds) a solved challenge (after triggered rule's `Challenge` action) remains valid. [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/waf-tokens-immunity-times.html)
#
#
# - Type: number
# - Required: false
# - Default: 300
challengeImmunityTime: 300
# Specifies the domains that firewall should accept in a web request token. This enables the use of tokens across multiple protected websites. [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/waf-tokens-domains.html#waf-tokens-domain-lists)
#
# - Type: array<string>
# - Required: false
tokenDomains:
- example-value
# When set to true collection of metrics for firewall is disabled.
#
# - By default total metrics for the firewall are enabled and can be monitored using AWS CloudWatch or AWS WAF console.
# - To disable metrics collection set `disableMetrics` to `true`.
#
# - Type: boolean
# - Required: false
# - Default: false
disableMetrics: false
# Boolean value that indicates whether requests matching the rule are saved for further analysis.
#
# By default sampled requests are not saved. If you set `sampledRequestsEnabled` to `true`,
# then the requests that match the rule are stored. You can view the sampled requests through
# the AWS WAF console.
#
# - Type: boolean
# - Required: false
# - Default: false
sampledRequestsEnabled: false

Rules alternatives

managed-rule-group

This example shows how to configure rules using managed-rule-group.

resources:
myWebAppFirewall:
type: web-app-firewall
properties:
# List of rules to be used by the firewall
#
# Rule can be a reference to **managed-rule-group** or user defined **custom-rule-group** or **rate-based-rule**.
# - **managed-rule-group**
# - references rule group pre-created by AWS or other vendors for specific use cases.
# - referenced by `name` and `vendorName`,
# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)
# - **custom-rule-group**
# - references custom rule group created by you.
# - referenced by rule group's `arn`
# - **rate-based-rule**
# - tracks the rate of requests for each originating IP address, and triggers the rule action when the rate
# exceeds a limit that you specify on the number of requests in any 5-minute time span
# - you can use this to put a temporary block on requests from an IP address that is sending excessive requests.
# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)
#
# - If you do not specify any rules, the stacktape will use managed rule groups `AWSManagedRulesCommonRuleSet` and `AWSManagedRulesKnownBadInputsRuleSet` to protect your application.
#
# - Type: object
# - Required: true
rules:
#
# - Type: string
# - Required: true
type: managed-rule-group
#
# - Type: object
# - Required: true
properties:
# The name of the rule group's vendor.
#
# - Type: string
# - Required: true
vendorName: myVendorName
# Rules are evaluated according to the set integer priority.
#
# Rules with lover priority are evaluated first. The priorities don't need to be consecutive, but they must all be different.
#
# - Type: number
# - Required: true
priority: 100
#
# - Type: string
# - Required: true
name: example-name
# The list of rules to be excluded from the specified rule group.
#
# - Type: array<string>
# - Required: false
excludedRules:
- example-value
# The action to use in the place of the action that results from the rule group evaluation.
#
# Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
#
# - Type: enum: [Count, None]
# - Required: false
# - Allowed values: [Count, None]
overrideAction: Count
# Boolean value that indicates whether metrics for the rule are enabled.
#
# - By default total metrics for the firewall are enabled and can be monitored using AWS CloudWatch or AWS WAF console.
# - To disable metrics collection set `disableMetrics` to `true`.
#
# - Type: boolean
# - Required: false
# - Default: false
disableMetrics: false
# Boolean value that indicates whether requests matching the rule are saved for further analysis.
#
# - By default sampled requests are not saved. If you set `sampledRequestsEnabled` to `true`,
# the requests that match the rule are stored.
# - You can view the sampled requests through the AWS WAF console.
#
# - Type: boolean
# - Required: false
# - Default: false
sampledRequestsEnabled: false

custom-rule-group

This example shows how to configure rules using custom-rule-group.

resources:
myWebAppFirewall:
type: web-app-firewall
properties:
# List of rules to be used by the firewall
#
# Rule can be a reference to **managed-rule-group** or user defined **custom-rule-group** or **rate-based-rule**.
# - **managed-rule-group**
# - references rule group pre-created by AWS or other vendors for specific use cases.
# - referenced by `name` and `vendorName`,
# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)
# - **custom-rule-group**
# - references custom rule group created by you.
# - referenced by rule group's `arn`
# - **rate-based-rule**
# - tracks the rate of requests for each originating IP address, and triggers the rule action when the rate
# exceeds a limit that you specify on the number of requests in any 5-minute time span
# - you can use this to put a temporary block on requests from an IP address that is sending excessive requests.
# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)
#
# - If you do not specify any rules, the stacktape will use managed rule groups `AWSManagedRulesCommonRuleSet` and `AWSManagedRulesKnownBadInputsRuleSet` to protect your application.
#
# - Type: object
# - Required: true
rules:
#
# - Type: string
# - Required: true
type: custom-rule-group
#
# - Type: object
# - Required: true
properties:
# The Amazon Resource Name (ARN) of the rule group.
#
# - For more information on how to create custom rule group refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-rule-groups.html).
#
# - Type: string
# - Required: true
arn: example-value
# Rules are evaluated according to the set integer priority.
#
# Rules with lover priority are evaluated first. The priorities don't need to be consecutive, but they must all be different.
#
# - Type: number
# - Required: true
priority: 100
#
# - Type: string
# - Required: true
name: example-name
# The action to use in the place of the action that results from the rule group evaluation.
#
# Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
#
# - Type: enum: [Count, None]
# - Required: false
# - Allowed values: [Count, None]
overrideAction: Count
# Boolean value that indicates whether metrics for the rule are enabled.
#
# - By default total metrics for the firewall are enabled and can be monitored using AWS CloudWatch or AWS WAF console.
# - To disable metrics collection set `disableMetrics` to `true`.
#
# - Type: boolean
# - Required: false
# - Default: false
disableMetrics: false
# Boolean value that indicates whether requests matching the rule are saved for further analysis.
#
# - By default sampled requests are not saved. If you set `sampledRequestsEnabled` to `true`,
# the requests that match the rule are stored.
# - You can view the sampled requests through the AWS WAF console.
#
# - Type: boolean
# - Required: false
# - Default: false
sampledRequestsEnabled: false

rate-based-rule

This example shows how to configure rules using rate-based-rule.

resources:
myWebAppFirewall:
type: web-app-firewall
properties:
# List of rules to be used by the firewall
#
# Rule can be a reference to **managed-rule-group** or user defined **custom-rule-group** or **rate-based-rule**.
# - **managed-rule-group**
# - references rule group pre-created by AWS or other vendors for specific use cases.
# - referenced by `name` and `vendorName`,
# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)
# - **custom-rule-group**
# - references custom rule group created by you.
# - referenced by rule group's `arn`
# - **rate-based-rule**
# - tracks the rate of requests for each originating IP address, and triggers the rule action when the rate
# exceeds a limit that you specify on the number of requests in any 5-minute time span
# - you can use this to put a temporary block on requests from an IP address that is sending excessive requests.
# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)
#
# - If you do not specify any rules, the stacktape will use managed rule groups `AWSManagedRulesCommonRuleSet` and `AWSManagedRulesKnownBadInputsRuleSet` to protect your application.
#
# - Type: object
# - Required: true
rules:
#
# - Type: string
# - Required: true
type: rate-based-rule
#
# - Type: object
# - Required: true
properties:
# The maximum number of requests from an identical IP allowed in a five-minute period.
#
# Limit must be between 100 and 20,000,000.
#
# - Type: number
# - Required: true
limit: 100
# Rules are evaluated according to the set integer priority.
#
# Rules with lover priority are evaluated first. The priorities don't need to be consecutive, but they must all be different.
#
# - Type: number
# - Required: true
priority: 100
#
# - Type: string
# - Required: true
name: example-name
# The type of aggregation that you want firewall to use for this rule
#
# - `IP` - Aggregate the request counts based on the IP addresses of the requests.
# - `FORWARDED_IP` - Aggregate the request counts based on the IP addresses in the specified header
# - If you choose this option, you can also specify the `headerName` and `fallbackBehavior` in the `forwardedIPConfig` property.
# - If you don't specify these properties the default values are `X-Forwarded-For` and `NO_MATCH` respectively.
# For more information about rate-based rules refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)
#
# - Type: enum: [FORWARDED_IP, IP]
# - Required: false
# - Allowed values: [FORWARDED_IP, IP]
aggregateBasedOn: FORWARDED_IP
# The configuration for inspecting IP addresses in an HTTP header that you specify.
#
# `fallbackBehavior` - Specifies what to do when a web request doesn't include the specified header.
# - `MATCH` - Treat the web request as matching the statement.
# - `NO_MATCH` - Treat the web request as not matching the statement.
# `headerName` - The name of the HTTP header to use for the IP address.
# For more information about `forwardedIPConfig` refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_ForwardedIPConfig.html)
#
# - Type: object
# - Required: false
forwardedIPConfig:
# You can specify the following fallback behaviors:
#
# - `MATCH` - Treat the web request as matching the rule statement. Firewall applies rule action to the request.
# - `NO_MATCH` - Treat the web request as not matching the rule statement.
#
# - Type: enum: [MATCH, NO_MATCH]
# - Required: true
# - Allowed values: [MATCH, NO_MATCH]
fallbackBehavior: MATCH
# The name of the HTTP header to use for the IP address.
#
# For example, if you specify `X-Forwarded-For` as the header name, firewall inspects the `X-Forwarded-For` header that's included in the web request.
#
# - Type: string
# - Required: true
headerName: myHeaderName
# The action that firewall should take on a web request when it matches the rule's statement. Default is `Block`.
#
# - `Allow` - Allow the web request.
# - `Block` - Block the web request.
# - `Count` - Count the web request and allow it.
# - `Captcha` - Return a CAPTCHA challenge to the client.
# - `Challenge` - Return a challenge to the client.
#
# For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleAction.html)
#
# - Type: enum: [Allow, Block, Captcha, Challenge, Count]
# - Required: false
# - Default: 'Block'
# - Allowed values: [Allow, Block, Captcha, Challenge, Count]
action: 'Block'
# Boolean value that indicates whether metrics for the rule are enabled.
#
# - By default total metrics for the firewall are enabled and can be monitored using AWS CloudWatch or AWS WAF console.
# - To disable metrics collection set `disableMetrics` to `true`.
#
# - Type: boolean
# - Required: false
# - Default: false
disableMetrics: false
# Boolean value that indicates whether requests matching the rule are saved for further analysis.
#
# - By default sampled requests are not saved. If you set `sampledRequestsEnabled` to `true`,
# the requests that match the rule are stored.
# - You can view the sampled requests through the AWS WAF console.
#
# - Type: boolean
# - Required: false
# - Default: false
sampledRequestsEnabled: false

Contents