Web App Firewall
This example shows a basic web app firewall configuration.
Web Application Firewall resource
- You can use firewall to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Basic example
resources:myWebAppFirewall:type: web-app-firewallproperties:# Specifies whether this firewall is to be used with CDN or with regional resources## - Use `cdn` if you wish to use firewall with CDN - CDN can be enabled on resources such as HTTP API Gateway, Bucket, Application load balancer or Web Service.# - Use `regional` if you wish to use firewall directly with one of the following resources: Application load balancer, User Pool or Web Service## - Type: enum: [cdn, regional]# - Required: true# - Allowed values: [cdn, regional]scope: cdn# Default action for the firewall if no rule matches## - `Allow` – If you want to allow most users to access your website, but you want to block access to attackers whose requests originate from specified IP addresses,# or whose requests appear to contain malicious SQL code or specified values, choose Allow for the default action. Then, when you add rules to your firewall, add# rules that identify and block the specific requests that you want to block.# - `Block` – If you want to prevent most users from accessing your website, but you want to allow access to users whose requests originate from specified IP addresses,# or whose requests contain specified values, choose Block for the default action. Then when you add rules to your firewall, add rules that identify and allow the# specific requests that you want to allow in. By default, for the Block action, the AWS resource responds with an HTTP 403 (Forbidden) status code.# the response.## - Type: enum: [Allow, Block]# - Required: false# - Default: 'Allow'# - Allowed values: [Allow, Block]defaultAction: 'Allow'# List of rules to be used by the firewall## Rule can be a reference to **managed-rule-group** or user defined **custom-rule-group** or **rate-based-rule**.# - **managed-rule-group**# - references rule group pre-created by AWS or other vendors for specific use cases.# - referenced by `name` and `vendorName`,# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)# - **custom-rule-group**# - references custom rule group created by you.# - referenced by rule group's `arn`# - **rate-based-rule**# - tracks the rate of requests for each originating IP address, and triggers the rule action when the rate# exceeds a limit that you specify on the number of requests in any 5-minute time span# - you can use this to put a temporary block on requests from an IP address that is sending excessive requests.# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)## - If you do not specify any rules, the stacktape will use managed rule groups `AWSManagedRulesCommonRuleSet` and `AWSManagedRulesKnownBadInputsRuleSet` to protect your application.## - Type: array<union (anyOf)># - Required: falserules:# Array of objects# A map of custom response keys and content bodies## When you create a rule with a block action, you can send a custom response to the web request. You# define these for the firewall, and then use them in the rules and default actions# that you define.## - Type: object# - Required: false# Determines how long (in seconds) a solved CAPTCHA challenge (after triggered rule's `Captcha` action) remains valid. [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/waf-tokens-immunity-times.html)### - Type: number# - Required: false# - Default: 300captchaImmunityTime: 300# Determines how long (in seconds) a solved challenge (after triggered rule's `Challenge` action) remains valid. [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/waf-tokens-immunity-times.html)### - Type: number# - Required: false# - Default: 300challengeImmunityTime: 300# Specifies the domains that firewall should accept in a web request token. This enables the use of tokens across multiple protected websites. [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/waf-tokens-domains.html#waf-tokens-domain-lists)## - Type: array<string># - Required: falsetokenDomains:- example-value# When set to true collection of metrics for firewall is disabled.## - By default total metrics for the firewall are enabled and can be monitored using AWS CloudWatch or AWS WAF console.# - To disable metrics collection set `disableMetrics` to `true`.## - Type: boolean# - Required: false# - Default: falsedisableMetrics: false# Boolean value that indicates whether requests matching the rule are saved for further analysis.## By default sampled requests are not saved. If you set `sampledRequestsEnabled` to `true`,# then the requests that match the rule are stored. You can view the sampled requests through# the AWS WAF console.## - Type: boolean# - Required: false# - Default: falsesampledRequestsEnabled: false
Rules alternatives
managed-rule-group
This example shows how to configure rules using managed-rule-group.
resources:myWebAppFirewall:type: web-app-firewallproperties:# List of rules to be used by the firewall## Rule can be a reference to **managed-rule-group** or user defined **custom-rule-group** or **rate-based-rule**.# - **managed-rule-group**# - references rule group pre-created by AWS or other vendors for specific use cases.# - referenced by `name` and `vendorName`,# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)# - **custom-rule-group**# - references custom rule group created by you.# - referenced by rule group's `arn`# - **rate-based-rule**# - tracks the rate of requests for each originating IP address, and triggers the rule action when the rate# exceeds a limit that you specify on the number of requests in any 5-minute time span# - you can use this to put a temporary block on requests from an IP address that is sending excessive requests.# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)## - If you do not specify any rules, the stacktape will use managed rule groups `AWSManagedRulesCommonRuleSet` and `AWSManagedRulesKnownBadInputsRuleSet` to protect your application.## - Type: object# - Required: truerules:## - Type: string# - Required: truetype: managed-rule-group## - Type: object# - Required: trueproperties:# The name of the rule group's vendor.## - Type: string# - Required: truevendorName: myVendorName# Rules are evaluated according to the set integer priority.## Rules with lover priority are evaluated first. The priorities don't need to be consecutive, but they must all be different.## - Type: number# - Required: truepriority: 100## - Type: string# - Required: truename: example-name# The list of rules to be excluded from the specified rule group.## - Type: array<string># - Required: falseexcludedRules:- example-value# The action to use in the place of the action that results from the rule group evaluation.## Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.## - Type: enum: [Count, None]# - Required: false# - Allowed values: [Count, None]overrideAction: Count# Boolean value that indicates whether metrics for the rule are enabled.## - By default total metrics for the firewall are enabled and can be monitored using AWS CloudWatch or AWS WAF console.# - To disable metrics collection set `disableMetrics` to `true`.## - Type: boolean# - Required: false# - Default: falsedisableMetrics: false# Boolean value that indicates whether requests matching the rule are saved for further analysis.## - By default sampled requests are not saved. If you set `sampledRequestsEnabled` to `true`,# the requests that match the rule are stored.# - You can view the sampled requests through the AWS WAF console.## - Type: boolean# - Required: false# - Default: falsesampledRequestsEnabled: false
custom-rule-group
This example shows how to configure rules using custom-rule-group.
resources:myWebAppFirewall:type: web-app-firewallproperties:# List of rules to be used by the firewall## Rule can be a reference to **managed-rule-group** or user defined **custom-rule-group** or **rate-based-rule**.# - **managed-rule-group**# - references rule group pre-created by AWS or other vendors for specific use cases.# - referenced by `name` and `vendorName`,# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)# - **custom-rule-group**# - references custom rule group created by you.# - referenced by rule group's `arn`# - **rate-based-rule**# - tracks the rate of requests for each originating IP address, and triggers the rule action when the rate# exceeds a limit that you specify on the number of requests in any 5-minute time span# - you can use this to put a temporary block on requests from an IP address that is sending excessive requests.# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)## - If you do not specify any rules, the stacktape will use managed rule groups `AWSManagedRulesCommonRuleSet` and `AWSManagedRulesKnownBadInputsRuleSet` to protect your application.## - Type: object# - Required: truerules:## - Type: string# - Required: truetype: custom-rule-group## - Type: object# - Required: trueproperties:# The Amazon Resource Name (ARN) of the rule group.## - For more information on how to create custom rule group refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-rule-groups.html).## - Type: string# - Required: truearn: example-value# Rules are evaluated according to the set integer priority.## Rules with lover priority are evaluated first. The priorities don't need to be consecutive, but they must all be different.## - Type: number# - Required: truepriority: 100## - Type: string# - Required: truename: example-name# The action to use in the place of the action that results from the rule group evaluation.## Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.## - Type: enum: [Count, None]# - Required: false# - Allowed values: [Count, None]overrideAction: Count# Boolean value that indicates whether metrics for the rule are enabled.## - By default total metrics for the firewall are enabled and can be monitored using AWS CloudWatch or AWS WAF console.# - To disable metrics collection set `disableMetrics` to `true`.## - Type: boolean# - Required: false# - Default: falsedisableMetrics: false# Boolean value that indicates whether requests matching the rule are saved for further analysis.## - By default sampled requests are not saved. If you set `sampledRequestsEnabled` to `true`,# the requests that match the rule are stored.# - You can view the sampled requests through the AWS WAF console.## - Type: boolean# - Required: false# - Default: falsesampledRequestsEnabled: false
rate-based-rule
This example shows how to configure rules using rate-based-rule.
resources:myWebAppFirewall:type: web-app-firewallproperties:# List of rules to be used by the firewall## Rule can be a reference to **managed-rule-group** or user defined **custom-rule-group** or **rate-based-rule**.# - **managed-rule-group**# - references rule group pre-created by AWS or other vendors for specific use cases.# - referenced by `name` and `vendorName`,# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)# - **custom-rule-group**# - references custom rule group created by you.# - referenced by rule group's `arn`# - **rate-based-rule**# - tracks the rate of requests for each originating IP address, and triggers the rule action when the rate# exceeds a limit that you specify on the number of requests in any 5-minute time span# - you can use this to put a temporary block on requests from an IP address that is sending excessive requests.# - For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)## - If you do not specify any rules, the stacktape will use managed rule groups `AWSManagedRulesCommonRuleSet` and `AWSManagedRulesKnownBadInputsRuleSet` to protect your application.## - Type: object# - Required: truerules:## - Type: string# - Required: truetype: rate-based-rule## - Type: object# - Required: trueproperties:# The maximum number of requests from an identical IP allowed in a five-minute period.## Limit must be between 100 and 20,000,000.## - Type: number# - Required: truelimit: 100# Rules are evaluated according to the set integer priority.## Rules with lover priority are evaluated first. The priorities don't need to be consecutive, but they must all be different.## - Type: number# - Required: truepriority: 100## - Type: string# - Required: truename: example-name# The type of aggregation that you want firewall to use for this rule## - `IP` - Aggregate the request counts based on the IP addresses of the requests.# - `FORWARDED_IP` - Aggregate the request counts based on the IP addresses in the specified header# - If you choose this option, you can also specify the `headerName` and `fallbackBehavior` in the `forwardedIPConfig` property.# - If you don't specify these properties the default values are `X-Forwarded-For` and `NO_MATCH` respectively.# For more information about rate-based rules refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedStatement.html)## - Type: enum: [FORWARDED_IP, IP]# - Required: false# - Allowed values: [FORWARDED_IP, IP]aggregateBasedOn: FORWARDED_IP# The configuration for inspecting IP addresses in an HTTP header that you specify.## `fallbackBehavior` - Specifies what to do when a web request doesn't include the specified header.# - `MATCH` - Treat the web request as matching the statement.# - `NO_MATCH` - Treat the web request as not matching the statement.# `headerName` - The name of the HTTP header to use for the IP address.# For more information about `forwardedIPConfig` refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_ForwardedIPConfig.html)## - Type: object# - Required: falseforwardedIPConfig:# You can specify the following fallback behaviors:## - `MATCH` - Treat the web request as matching the rule statement. Firewall applies rule action to the request.# - `NO_MATCH` - Treat the web request as not matching the rule statement.## - Type: enum: [MATCH, NO_MATCH]# - Required: true# - Allowed values: [MATCH, NO_MATCH]fallbackBehavior: MATCH# The name of the HTTP header to use for the IP address.## For example, if you specify `X-Forwarded-For` as the header name, firewall inspects the `X-Forwarded-For` header that's included in the web request.## - Type: string# - Required: trueheaderName: myHeaderName# The action that firewall should take on a web request when it matches the rule's statement. Default is `Block`.## - `Allow` - Allow the web request.# - `Block` - Block the web request.# - `Count` - Count the web request and allow it.# - `Captcha` - Return a CAPTCHA challenge to the client.# - `Challenge` - Return a challenge to the client.## For more information refer to [AWS Docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleAction.html)## - Type: enum: [Allow, Block, Captcha, Challenge, Count]# - Required: false# - Default: 'Block'# - Allowed values: [Allow, Block, Captcha, Challenge, Count]action: 'Block'# Boolean value that indicates whether metrics for the rule are enabled.## - By default total metrics for the firewall are enabled and can be monitored using AWS CloudWatch or AWS WAF console.# - To disable metrics collection set `disableMetrics` to `true`.## - Type: boolean# - Required: false# - Default: falsedisableMetrics: false# Boolean value that indicates whether requests matching the rule are saved for further analysis.## - By default sampled requests are not saved. If you set `sampledRequestsEnabled` to `true`,# the requests that match the rule are stored.# - You can view the sampled requests through the AWS WAF console.## - Type: boolean# - Required: false# - Default: falsesampledRequestsEnabled: false