Channels
#aws
Title
# aws
m
millions-umbrella-34765
04/12/2022, 9:09 PMI'm looking at provisioning a WAF/Web ACL, I'm not clear how you can refer to managed rule groups like "Core rule set" to add to the web acl. Any examples?
v
victorious-church-57397
04/13/2022, 9:18 AMHi Phil, I’ve done this semi recently in my place, let me get you some examples
so i have a file called
wafVariables.ts Copy code
import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
/*
Define the rule statements and then attach them to the rule objects below.
Currently we just have a base set of managed rules from AWS.
*/
const commonRulesetStatement: wafv2.WebAclRuleStatement = {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesCommonRuleSet',
},
};
const SQLiRulesetStatement: wafv2.WebAclRuleStatement = {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesSQLiRuleSet',
},
};
const ipReputationRulesetStatement: wafv2.WebAclRuleStatement = {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesAmazonIpReputationList',
},
}; Copy code
/*
Define rules here, this is to make the resource definitions as tidy as possible in waf.ts
*/
export const commonRuleSetRule = {
name: 'common-ruleset-rule',
priority: 1,
statement: commonRulesetStatement,
overrideAction: {
none: {},
},
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: 'AWS-AWSManagedRulesCommonRuleSet',
},
};waf.ts Copy code
import * as aws from '@pulumi/aws';
import {
commonRuleSetRule,
} from './wafVariables';
export const regionalWebAcl = new aws.wafv2.WebAcl('regional-web-acl', {
defaultAction: {
allow: {},
},
description: 'A web acl containing a base set of rules',
scope: 'REGIONAL',
rules: [
commonRuleSetRule,
],
visibilityConfig: {
cloudwatchMetricsEnabled: true,
metricName: 'regional-web-acl',
sampledRequestsEnabled: true,
},
tags: {
...tags,
Name: 'regional-web-acl',
},
});if you want to see if the rules would be triggered without actioning the request, set the
overrideActioncount Copy code
export const commonRuleSetRule = {
name: 'common-ruleset-rule',
priority: 5,
statement: commonRulesetStatement,
overrideAction: {
count: {},
},
visibilityConfig: {
sampledRequestsEnabled: true,
cloudwatchMetricsEnabled: true,
metricName: 'AWS-AWSManagedRulesCommonRuleSet',
},
};and if you need to exclude any rules from the rulegroups, you can do so like this:
Copy code
const botRulesetStatement: pulumi.Input<aws.types.input.wafv2.WebAclRuleStatement> = {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesBotControlRuleSet',
excludedRules: [
{
name: 'SignalNonBrowserUserAgent',
},
{
name: 'CategoryHttpLibrary',
},
{
name: 'SignalAutomatedBrowser',
},
],
},
};hope this helps! drop me a message if you need anything else
m
millions-umbrella-34765
04/13/2022, 3:44 PM@victorious-church-57397 Thanks! This is very helpful. My first question is where are the different rule sets defined/documented?
Copy code
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesCommonRuleSet',
},AWSManagedRulesCommonRuleSetv
victorious-church-57397
04/13/2022, 3:45 PMhey @millions-umbrella-34765, I just found them on the AWS docs https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
for example, the core ruleset, the name/vendor is at the top of this page https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs
m
millions-umbrella-34765
04/13/2022, 3:49 PMAh, I see.
v
victorious-church-57397
04/13/2022, 3:52 PMyeah, thats the one 🙂
be mindful of the WCU count of the rule sets, as there is a maximum of 1500 WCU per webacl
9 Views