CloudWiki
Resource

WAF

Amazon Web Services
Security
Web Application Firewall (WAF) is a firewall that protects vulnerabilities in web applications from attacks via rules that allow, block, or monitor (count) web requests based on conditions that you define.
Terraform Name
terraform
aws_wafv2_web_acl
Config.
Costs
Best Practices
Blogs
WAF
attributes:
  • custom_response_body - (Optional) Defines custom response bodies that can be referenced by custom_response actions. See Custom Response Body below for details.
  • default_action - (Required) Action to perform if none of the rules contained in the WebACL match. See Default Action below for details.
  • description - (Optional) Friendly description of the WebACL.
  • name - (Required) Friendly name of the WebACL.
  • rule - (Optional) Rule blocks used to identify the web requests that you want to allow, block, or count. See Rules below for details.
  • scope - (Required) Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider.
  • tags - (Optional) Map of key-value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • visibility_config - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.

Custom Response Body

Each custom_response_body block supports the following arguments:

  • key - (Required) Unique key identifying the custom response body. This is referenced by the custom_response_body_key argument in the Custom Response block.
  • content - (Required) Payload of the custom response.
  • content_type - (Required) Type of content in the payload that you are defining in the content argument. Valid values are TEXT_PLAIN, TEXT_HTML, or APPLICATION_JSON.

Default Action

The default_action block supports the following arguments:

NOTE:

One of allow or block, expressed as an empty configuration block {}, is required when specifying a default_action

  • allow - (Optional) Specifies that AWS WAF should allow requests by default. See Allow below for details.
  • block - (Optional) Specifies that AWS WAF should block requests by default. See Block below for details.

Rules

NOTE:

One of action or override_action is required when specifying a rule

Each rule supports the following arguments:

  • action - (Optional) Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose statements do not reference a rule group. See Action below for details.
  • name - (Required) Friendly name of the rule.
  • override_action - (Optional) Override action to apply to the rules in a rule group. Used only for rule statements that reference a rule group, like rule_group_reference_statement and managed_rule_group_statement. See Override Action below for details.
  • priority - (Required) If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the rules in order based on the value of priority. AWS WAF processes rules with lower priority first.
  • rule_label - (Optional) Labels to apply to web requests that match the rule match statement. See Rule Label below for details.
  • statement - (Required) The AWS WAF processing statement for the rule, for example byte_match_statement or geo_match_statement. See Statement below for details.
  • visibility_config - (Required) Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.

Action

The action block supports the following arguments:

NOTE:

One of allow, block, or count, is required when specifying an action.

  • allow - (Optional) Instructs AWS WAF to allow the web request. See Allow below for details.
  • block - (Optional) Instructs AWS WAF to block the web request. See Block below for details.
  • captcha - (Optional) Instructs AWS WAF to run a Captcha check against the web request. See Captcha below for details.
  • count - (Optional) Instructs AWS WAF to count the web request and allow it. See Count below for details.

Override Action

The override_action block supports the following arguments:

NOTE:

One of count or none, expressed as an empty configuration block {}, is required when specifying an override_action

  • count - (Optional) Override the rule action setting to count (i.e., only count matches). Configured as an empty block {}.
  • none - (Optional) Don't override the rule action setting. Configured as an empty block {}.

Allow

The allow block supports the following arguments:

  • custom_request_handling - (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.

Block

The block block supports the following arguments:

  • custom_response - (Optional) Defines a custom response for the web request. See Custom Response below for details.

Captcha

The captcha block supports the following arguments:

  • custom_request_handling - (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.

Count

The count block supports the following arguments:

  • custom_request_handling - (Optional) Defines custom handling for the web request. See Custom Request Handling below for details.

Custom Request Handling

The custom_request_handling block supports the following arguments:

  • insert_header - (Required) The insert_header blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.

Custom Response

The custom_response block supports the following arguments:

  • custom_response_body_key - (Optional) References the response body that you want AWS WAF to return to the web request client. This must reference a key defined in a custom_response_body block of this resource.
  • response_code - (Required) The HTTP status code to return to the client.
  • response_header - (Optional) The response_header blocks used to define the HTTP response headers added to the response. See Custom HTTP Header below for details.

Custom HTTP Header

Each block supports the following arguments. Duplicate header names are not allowed:

  • name - Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name x-amzn-waf-, to avoid confusion with the headers that are already in the request. For example, for the header name sample, AWS WAF inserts the header x-amzn-waf-sample.
  • value - Value of the custom header.

Rule Label

Each block supports the following arguments:

  • name - Label string.

Statement

The processing guidance for a Rule, used by AWS WAF to determine whether a web request matches the rule. See the documentation for more information.

NOTE:

Although the statement block is recursive, currently only 3 levels are supported.

The statement block supports the following arguments:

  • and_statement - (Optional) Logical rule statement used to combine other rule statements with AND logic. See AND Statement below for details.
  • byte_match_statement - (Optional) Rule statement that defines a string match search for AWS WAF to apply to web requests. See Byte Match Statement below for details.
  • geo_match_statement - (Optional) Rule statement used to identify web requests based on country of origin. See GEO Match Statement below for details.
  • ip_set_reference_statement - (Optional) Rule statement used to detect web requests coming from particular IP addresses or address ranges. See IP Set Reference Statement below for details.
  • label_match_statement - (Optional) Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See Label Match Statement below for details.
  • managed_rule_group_statement - (Optional) Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See Managed Rule Group Statement below for details.
  • not_statement - (Optional) Logical rule statement used to negate the results of another rule statement. See NOT Statement below for details.
  • or_statement - (Optional) Logical rule statement used to combine other rule statements with OR logic. See OR Statement below for details.
  • rate_based_statement - (Optional) Rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. This statement can not be nested. See Rate Based Statement below for details.
  • regex_match_statement - (Optional) Rule statement used to search web request components for a match against a single regular expression. See Regex Match Statement below for details.
  • regex_pattern_set_reference_statement - (Optional) Rule statement used to search web request components for matches with regular expressions. See Regex Pattern Set Reference Statement below for details.
  • rule_group_reference_statement - (Optional) Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See Rule Group Reference Statement below for details.
  • size_constraint_statement - (Optional) Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See Size Constraint Statement below for more details.
  • sqli_match_statement - (Optional) An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See SQL Injection Match Statement below for details.
  • xss_match_statement - (Optional) Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See XSS Match Statement below for details.

AND Statement

A logical rule statement used to combine other rule statements with AND logic. You provide more than one statement within the and_statement.

The and_statement block supports the following arguments:

  • statement - (Required) Statements to combine with AND logic. You can use any statements that can be nested. See Statement above for details.

Byte Match Statement

The byte match statement provides the bytes to search for, the location in requests that you want AWS WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters.

The byte_match_statement block supports the following arguments:

  • field_to_match - (Optional) Part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
  • positional_constraint - (Required) Area within the portion of a web request that you want AWS WAF to search for search_string. Valid values include the following: EXACTLY, STARTS_WITH, ENDS_WITH, CONTAINS, CONTAINS_WORD. See the AWS documentation for more information.
  • search_string - (Required) String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in field_to_match. The maximum length of the value is 50 bytes.
  • text_transformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

GEO Match Statement

The geo_match_statement block supports the following arguments:

  • country_codes - (Required) Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the ISO 3166 international standard. See the documentation for valid values.
  • forwarded_ip_config - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details.

IP Set Reference Statement

A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an aws_wafv2_ip_set that specifies the addresses you want to detect, then use the ARN of that set in this statement.

The ip_set_reference_statement block supports the following arguments:

  • arn - (Required) The Amazon Resource Name (ARN) of the IP Set that this statement references.
  • ip_set_forwarded_ip_config - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details.

Label Match Statement

The label_match_statement block supports the following arguments:

  • scope - (Required) Specify whether you want to match using the label name or just the namespace. Valid values are LABEL or NAMESPACE.
  • key - (Required) String to match against.

Managed Rule Group Statement

A rule statement used to run the rules that are defined in a managed rule group.

You can't nest a managed_rule_group_statement, for example for use inside a not_statement or or_statement. It can only be referenced as a top-level statement within a rule.

The managed_rule_group_statement block supports the following arguments:

  • excluded_rule - (Optional) The rules whose actions are set to COUNT by the web ACL, regardless of the action that is set on the rule. See Excluded Rule below for details.
  • name - (Required) Name of the managed rule group.
  • scope_down_statement - Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See Statement above for details.
  • vendor_name - (Required) Name of the managed rule group vendor.
  • version - (Optional) Version of the managed rule group. You can set Version_1.0 or Version_1.1 etc. If you want to use the default version, do not set anything.

NOT Statement

A logical rule statement used to negate the results of another rule statement. You provide one statement within the not_statement.

The not_statement block supports the following arguments:

  • statement - (Required) Statement to negate. You can use any statement that can be nested. See Statement above for details.

OR Statement

A logical rule statement used to combine other rule statements with OR logic. You provide more than one statement within the or_statement.

The or_statement block supports the following arguments:

  • statement - (Required) Statements to combine with OR logic. You can use any statements that can be nested. See Statement above for details.

Rate Based Statement

A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests. See the documentation for more information.

You can't nest a rate_based_statement, for example for use inside a not_statement or or_statement. It can only be referenced as a top-level statement within a rule.

The rate_based_statement block supports the following arguments:

  • aggregate_key_type - (Optional) Setting that indicates how to aggregate the request counts. Valid values include: FORWARDED_IP or IP. Default: IP.
  • forwarded_ip_config - (Optional) Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If aggregate_key_type is set to FORWARDED_IP, this block is required. See Forwarded IP Config below for details.
  • limit - (Required) Limit on requests per 5-minute period for a single originating IP address.
  • scope_down_statement - (Optional) Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See Statement above for details.

Regex Match Statement

A rule statement used to search web request components for a match against a single regular expression.

The regex_match_statement block supports the following arguments:

  • regex_string - (Required) String representing the regular expression. Minimum of 1 and maximum of 512 characters.
  • field_to_match - (Required) The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
  • text_transformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

Regex Pattern Set Reference Statement

A rule statement used to search web request components for matches with regular expressions. To use this, create a aws_wafv2_regex_pattern_set that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set.

The regex_pattern_set_reference_statement block supports the following arguments:

  • arn - (Required) The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
  • field_to_match - (Optional) Part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
  • text_transformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

Rule Group Reference Statement

A rule statement used to run the rules that are defined in an WAFv2 Rule Group or aws_wafv2_rule_group resource.

You can't nest a rule_group_reference_statement, for example for use inside a not_statement or or_statement. It can only be referenced as a top-level statement within a rule.

The rule_group_reference_statement block supports the following arguments:

  • arn - (Required) The Amazon Resource Name (ARN) of the aws_wafv2_rule_group resource.
  • excluded_rule - (Optional) The rules whose actions are set to COUNT by the web ACL, regardless of the action that is set on the rule. See Excluded Rule below for details.

Size Constraint Statement

A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component. AWS WAFv2 inspects up to the first 8192 bytes (8 KB) of a request body, and when inspecting the request URI Path, the slash / in the URI counts as one character.

The size_constraint_statement block supports the following arguments:

  • comparison_operator - (Required) Operator to use to compare the request part to the size setting. Valid values include: EQ, NE, LE, LT, GE, or GT.
  • field_to_match - (Optional) Part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
  • size - (Required) Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.
  • text_transformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

SQL Injection Match Statement

An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious SQL code.

The sqli_match_statement block supports the following arguments:

  • field_to_match - (Optional) Part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
  • text_transformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

XSS Match Statement

The XSS match statement provides the location in requests that you want AWS WAF to search and text transformations to use on the search area before AWS WAF searches for character sequences that are likely to be malicious strings.

The xss_match_statement block supports the following arguments:

  • field_to_match - (Optional) Part of a web request that you want AWS WAF to inspect. See Field to Match below for details.
  • text_transformation - (Required) Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required. See Text Transformation below for details.

Excluded Rule

The excluded_rule block supports the following arguments:

  • name - (Required) Name of the rule to exclude. If the rule group is managed by AWS, see the documentation for a list of names in the appropriate rule group in use.

Field to Match

The part of a web request that you want AWS WAF to inspect. Include the single field_to_match type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in field_to_match for each rule statement that requires it. To inspect more than one component of a web request, create a separate rule statement for each component. See the documentation for more details.

The field_to_match block supports the following arguments:

NOTE:

Only one of all_query_arguments, body, cookies, headers, json_body, method, query_string, single_header, single_query_argument, or uri_path can be specified. An empty configuration block {} should be used when specifying all_query_arguments, body, method, or query_string attributes.

  • all_query_arguments - (Optional) Inspect all query arguments.
  • body - (Optional) Inspect the request body, which immediately follows the request headers.
  • cookies - (Optional) Inspect the cookies in the web request. See Cookies below for details.
  • headers - (Optional) Inspect the request headers. See Headers below for details.
  • json_body - (Optional) Inspect the request body as JSON. See JSON Body for details.
  • method - (Optional) Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
  • query_string - (Optional) Inspect the query string. This is the part of a URL that appears after a ? character, if any.
  • single_header - (Optional) Inspect a single header. See Single Header below for details.
  • single_query_argument - (Optional) Inspect a single query argument. See Single Query Argument below for details.
  • uri_path - (Optional) Inspect the request URI path. This is the part of a web request that identifies a resource, for example, /images/daily-ad.jpg.

Forwarded IP Config

The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. If the specified header isn't present in the request, AWS WAFv2 doesn't apply the rule to the web request at all. AWS WAFv2 only evaluates the first IP address found in the specified HTTP header.

The forwarded_ip_config block supports the following arguments:

  • fallback_behavior - (Required) - Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: MATCH or NO_MATCH.
  • header_name - (Required) - Name of the HTTP header to use for the IP address.

IPSet Forwarded IP Config

The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.

The ip_set_forwarded_ip_config block supports the following arguments:

  • fallback_behavior - (Required) - Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: MATCH or NO_MATCH.
  • header_name - (Required) - Name of the HTTP header to use for the IP address.
  • position - (Required) - Position in the header to search for the IP address. Valid values include: FIRST, LAST, or ANY. If ANY is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.

Headers

Inspect the request headers.

The headers block supports the following arguments:

  • match_pattern - (Required) The filter to use to identify the subset of headers to inspect in a web request. The match_pattern block supports only one of the following arguments:
  • all - An empty configuration block that is used for inspecting all headers.
  • included_headers - An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.
  • excluded_headers - An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.
  • match_scope - (Required) The parts of the headers to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values include the following: ALL, Key, Value.
  • oversize_handling - (Required) Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: CONTINUE, MATCH, NO_MATCH. See the AWS documentation for more information.

JSON Body

The json_body block supports the following arguments:

  • invalid_fallback_behavior - (Optional) What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are EVALUATE_AS_STRING, MATCH and NO_MATCH.
  • match_pattern - (Required) The patterns to look for in the JSON body. You must specify exactly one setting: either all or included_paths. See JsonMatchPattern for details.
  • match_scope - (Required) The parts of the JSON to match against using the match_pattern. Valid values are ALL, KEY and VALUE.
  • oversize_handling - (Optional) What to do if the body is larger than can be inspected. Valid values are CONTINUE (default), MATCH and NO_MATCH.

Single Header

Inspect a single header. Provide the name of the header to inspect, for example, User-Agent or Referer (provided as lowercase strings).

The single_header block supports the following arguments:

  • name - (Optional) Name of the query header to inspect. This setting must be provided as lower case characters.

Single Query Argument

Inspect a single query argument. Provide the name of the query argument to inspect, such as UserName or SalesRegion (provided as lowercase strings).

The single_query_argument block supports the following arguments:

  • name - (Optional) Name of the query header to inspect. This setting must be provided as lower case characters.

Cookies

Inspect the cookies in the web request. You can specify the parts of the cookies to inspect and you can narrow the set of cookies to inspect by including or excluding specific keys. This is used to indicate the web request component to inspect, in the FieldToMatch specification.

The cookies block supports the following arguments:

  • match_pattern - (Required) The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either all, included_cookies or excluded_cookies. More details: CookieMatchPattern
  • match_scope - (Required) The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: ALL, KEY, VALUE
  • oversize_handling - (Required) What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: CONTINUE, MATCH, NO_MATCH

Text Transformation

The text_transformation block supports the following arguments:

  • priority - (Required) Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.
  • type - (Required) Transformation to apply, please refer to the Text Transformation documentation for more details.

Visibility Configuration

The visibility_config block supports the following arguments:

  • cloudwatch_metrics_enabled - (Required) Whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see AWS WAF Metrics.
  • metric_name - (Required) A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example All and Default_Action.
  • sampled_requests_enabled - (Required) Whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.

Associating resources with a
WAF
Resources do not "belong" to a
WAF
Rather, one or more Security Groups are associated to a resource.
Create
WAF
via Terraform:
The following HCL creates a WAF Web ACL that blocks requests coming from 192.0.7.0/24 and allows everything else
Syntax:

resource "aws_wafv2_web_acl" "example" {
 name        = "managed-rule-example"
 description = "Example of a managed rule."
 scope       = "REGIONAL"

 default_action {
   allow {}
 }

 rule {
   name     = "rule-1"
   priority = 1

   override_action {
     count {}
   }

   statement {
     managed_rule_group_statement {
       name        = "AWSManagedRulesCommonRuleSet"
       vendor_name = "AWS"

       excluded_rule {
         name = "SizeRestrictions_QUERYSTRING"
       }

       excluded_rule {
         name = "NoUserAgent_HEADER"
       }

       scope_down_statement {
         geo_match_statement {
           country_codes = ["US", "NL"]
         }
       }
     }
   }

   visibility_config {
     cloudwatch_metrics_enabled = false
     metric_name                = "friendly-rule-metric-name"
     sampled_requests_enabled   = false
   }
 }

 tags = {
   Tag1 = "Value1"
   Tag2 = "Value2"
 }

 visibility_config {
   cloudwatch_metrics_enabled = false
   metric_name                = "friendly-metric-name"
   sampled_requests_enabled   = false
 }
}

Create
WAF
via CLI:
Parametres:

create-web-acl
--name <value>
--scope <value>
--default-action <value>
[--description <value>]
[--rules <value>]
--visibility-config <value>
[--tags <value>]
[--custom-response-bodies <value>]
[--captcha-config <value>]
[--challenge-config <value>]
[--token-domains <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws wafv2 create-web-acl \
   --name TestWebAcl \
   --scope REGIONAL \
   --default-action Allow={} \
   --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestWebAclMetrics \
   --rules file://waf-rule.json \
   --region us-west-2

aws cost
Costs
The cost of using Web Application Firewall (WAF) is based on the number of rules, web requests, managed rules, and web ACLs. AWS WAF charges for each rule and web request, as well as for managed rules from AWS Marketplace.
Direct Cost

<Region>-WebACLV2

<Region>-RuleV2

<Region>-RequestV2-Tier1

Indirect Cost
No items found.
Best Practices for
WAF

Categorized by Availability, Security & Compliance and Cost

Medium
AMI (Amazon Machine Images) not in use
AWS Cost Optimization
APRA
AWS Well-Architected Framework
MAS
Medium
AMI (Amazon Machine Images) not in use (12 months)
AWS Cost Optimization
APRA
AWS Well-Architected Framework
MAS
High
AWS Config configuration changes alarm
Security & Compliance
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Access allowed from VPN
Security & Compliance
No items found.
Low
Auto Scaling Group not in use
Other
No items found.
Low
CloudTrail changes alarm
Security & Compliance
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Connections towards DynamoDB should be via VPC endpoints
Security & Compliance
No items found.
Medium
Connections towards S3 should be via VPC endpoint
Security & Compliance
CCPA
Medium
Container in CrashLoopBackOff state
Availability
No items found.
Low
Cross peering connectivity is allowed by EC2
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by ECS Task
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by Lambda
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by Pod
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by EC2
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by ECS
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by Lambda
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by Pod
Security & Compliance
CISAWSF
Medium
DynamoDB tables not in use
AWS Cost Optimization
AWS Well-Architected Framework
CIS 8
HITRUST
GDPR
Medium
EBS snapshots not in use
AWS Cost Optimization
AWS Well-Architected Framework
Medium
EBS volume not in use
AWS Cost Optimization
MAS
NIST4
AWS Well-Architected Framework
Low
EC2 large instance create alarm
Security & Compliance
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
EC2 should have a name set
Other
APRA
MAS
Critical
EC2 with Admin access (*:*)
Security & Compliance
CIS
GDPR
HITRUST
NIST 800-53
ISO 27701
Low
EC2 with GPU capabilities
AWS Cost Optimization
No items found.
Medium
EC2 with high privileged policies
Security & Compliance
No items found.
Medium
ECS cluster delete alarm
Availability
No items found.
Critical
ECS task with Admin access (*:*)
Security & Compliance
CIS
Medium
ECS task with high privileged policies
Security & Compliance
No items found.
Critical
EKS cluster delete alarm
Availability
No items found.
Medium
ELB not in use
AWS Cost Optimization
AWS Well-Architected Framework
Medium
ElastiCache cluster delete alarm
Availability
No items found.
Medium
Elastic IP not in use
AWS Cost Optimization
AWS Well-Architected Framework
CISAWSF
PCI-DSS
MAS
NIST4
Low
Ensure API Gateway has Content Encoding feature enabled
Other
MAS
NIST 800-53
NIST4
Medium
Ensure AWS Config is configured to include global resources
Security & Compliance
APRA
GDPR
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure AWS EKS cluster has secrets encryption enabled
Security & Compliance
CIS
CISAWSF
CIS EKS
HITRUST
NIST 800-53
Medium
Ensure Amazon MQ broker instances are using desired instance types
Security & Compliance
AWS Well-Architected Framework
Medium
Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled
Security & Compliance
APRA
CCPA
HITRUST
ISO 27001
MAS
Low
Ensure Amazon MQ brokers Log Exports feature is enabled
Security & Compliance
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Medium
Ensure Amazon MQ brokers are not publicly accessible
Security & Compliance
APRA
CCPA
CIS 8
GDPR
HIPAA
Critical
Ensure Amazon MQ brokers are not publicly accessible
Security & Compliance
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Amazon MQ brokers are using the active/standby deployment mode
Availability
CCPA
ISO 27001
NIST4
NIST 800-53
AWS Well-Architected Framework
Low
Ensure Amazon MQ brokers are using the latest engine version
Security & Compliance
APRA
HITRUST
MAS
PCI-DSS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
Security & Compliance
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Medium
Ensure Application Load Balancer (ALB) has access logging enabled
Security & Compliance
No items found.
Medium
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
Security & Compliance
NIST 800-53
CSA CCM
AWS Foundational Security Best Practices Controls
Low
Ensure Auto-Tune feature is enabled in OpenSearch clusters
Other
No items found.
Medium
Ensure CloudFormation stacks Termination Protection feature is enabled
Security & Compliance
APRA
MAS
AWS Well-Architected Framework
Medium
Ensure CloudFormation stacks are sending event notifications to an SNS topic
Security & Compliance
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Security & Compliance
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Medium
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
Security & Compliance
PCI-DSS
HIPAA
Medium
Ensure CloudFront has WAF attached
Security & Compliance
NIST 800-53
AWS Foundational Security Best Practices Controls
Medium
Ensure CloudFront web distributions are configured to compress objects (files) automatically
AWS Cost Optimization
GDPR
NIST4
Medium
Ensure CloudFront web distributions enforce field-level encryption
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
Security & Compliance
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
High
Ensure CloudTrail buckets are configured to use MFA
Security & Compliance
APRA
MAS
NIST4
GDPR
HIPAA
Medium
Ensure CloudTrail logs are encrypted at rest
Security & Compliance
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
High
Ensure CloudTrail trails have multi-region enabled
Security & Compliance
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
High
Ensure CloudTrail trails record global service events
Security & Compliance
APRA
PCI-DSS
GDPR
NIST4
MAS
Medium
Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs
Security & Compliance
CISAWSF
PCI-DSS
GDPR
APRA
MAS
Medium
Ensure Container liveness probe is configured
Availability
No items found.
Low
Ensure Container readiness probe is configured
Availability
No items found.
Critical
Ensure DMS instances are not accessible via Internet (Network and API)
Security & Compliance
CIS
SOC2
PCI-DSS
FedRAMP
AWS Well-Architected Framework
High
Ensure Database Migration Service (DMS) are not publicly accessible
Security & Compliance
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations
Availability
NIST4
Medium
Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled
Security & Compliance
APRA
MAS
NIST4
Low
Ensure DocumentDB clusters have Log Exports feature enabled
Security & Compliance
APRA
Medium
Ensure DocumentDB database clusters have a minimum backup retention period
Other
NIST4
AWS Well-Architected Framework
Critical
Ensure DocumentDB database instances are not accessible via Internet (Network and API)
Security & Compliance
CIS
SOC2
PCI-DSS
Critical
Ensure DocumentDB database instances have storage encryption enabled
Security & Compliance
GDPR
NIST4
NIST 800-53
HIPAA
MAS
High
Ensure DocumentDB volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Cost Optimization
AWS Well-Architected Framework
Low
Ensure DynamoDB Tables are encrypted with customer managed key
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Medium
Ensure DynamoDB tables have point in time recovery enabled
Availability
SOC2
GDPR
HITRUST
NIST 800-53
NIST4
Medium
Ensure EBS snapshots are encrypted
Security & Compliance
PCI-DSS
GDPR
HIPAA
NIST4
HITRUST
Critical
Ensure EBS snapshots are not publicly accessible
Security & Compliance
GDPR
NIST4
PCI-DSS
AWS Well-Architected Framework
HITRUST
Medium
Ensure EBS volumes are encrypted
Security & Compliance
APRA
MAS
NIST4
CIS
ISO 27001
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Cost Optimization
AWS Well-Architected Framework
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of io1
AWS Cost Optimization
AWS Well-Architected Framework
Critical
Ensure EC2 AMIs are not publicly accessible
Security & Compliance
GDPR
APRA
MAS
NIST4
CIS 8
Medium
Ensure EC2 instance uses an IAM profile
Security & Compliance
APRA
CISAWSF
MAS
NIST4
Medium
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
Security & Compliance
AWS Foundational Security Best Practices Controls
NIST 800-53
HITRUST
Medium
Ensure ECS task definition has memory limit
Availability
No items found.
High
Ensure EFS file systems are encrypted
APRA
MAS
NIST4
GDPR
HIPAA
High
Ensure EFS file systems are encrypted using KMS CMK customer-managed keys
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
Low
Ensure EKS Private access is enabled
Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure EKS Public access is disabled
Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure EKS Public access is restricted to specific sources
Security & Compliance
ISO 27001
Low
Ensure EMR cluster archive log files to S3
Other
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Critical
Ensure EMR cluster master nodes are not publicly accessible
Security & Compliance
No items found.
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Security & Compliance
HIPAA
GDPR
NIST4
APRA
HITRUST
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Security & Compliance
HIPAA
GDPR
HITRUST
NIST 800-53
APRA
Low
Ensure ElastiCache Redis clusters have automatic backup turned on
Availability
No items found.
Medium
Ensure Geo-Restriction is enabled within CloudFront distribution
Security & Compliance
GDPR
Medium
Ensure IAM Group has no inline policy
Security & Compliance
APRA
MAS
NIST4
FedRAMP
Medium
Ensure IAM Role has no inline policy
Security & Compliance
APRA
AWS Well-Architected Framework
MAS
NIST4
FedRAMP
Medium
Ensure IAM User has no inline policy
Security & Compliance
APRA
AWS Well-Architected Framework
CISAWSF
SOC2
MAS
Critical
Ensure IAM password policy expires passwords within 90 days or less
Security & Compliance
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Low
Ensure IAM password policy has expiration period
Security & Compliance
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Medium
Ensure IAM password policy prevents password reuse
Security & Compliance
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Medium
Ensure IAM password policy require at least one lowercase letter
Security & Compliance
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
We haven't write about
WAF
yet.
View all blog posts ->
More from
Amazon Web Services
MQ
Redshift
CloudTrail
CloudFormation Stack
SCP
EFS
Availability Zone
Region
SES
ENI
CloudWatch
S3 Glacier
Direct Connect Gateway
Direct Connect
GuardDuty
Config
DMS
Glue
Athena
ECS Task Definition
IAM Account Password Policy
API Gateway
SageMaker Notebook
Elastic IP
Virtual Private Gateway
Transit Gateway
CloudFront
Route 53
VPN Customer Gateway
Site-to-Site VPN Connection
WAF
Internet Gateway
Network ACL
Route Table
Prefix List
VPC Peering
VPC Endpoint
NAT Gateway
Target Group
GLB
NLB
ALB
ELB
Subnet
VPC
KMS
Instance Profile
IAM Group
IAM User
IAM Policy
IAM Role
SNS
SQS
Kinesis
MSK
EC2
Auto Scaling Group
ECS
EKS
Lambda Function
AMI
OpenSearch
EMR
ElastiCache
DocumentDB
RDS
EBS Snapshots
EBS Volume
DynamoDB
S3 Bucket
Security Group