Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::WAF::WebACL

The AWS::WAF::WebACL resource creates an AWS WAF web access control group (ACL) containing the rules that identify the Amazon CloudFront (CloudFront) web requests that you want to allow, block, or count. For more information, see CreateWebACL in the AWS WAF API Reference.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

Copy
{ "Type" : "AWS::WAF::WebACL", "Properties" : { "DefaultAction" : Action, "MetricName" : String, "Name" : String, "Rules" : [ Rule, ... ] } }

YAML

Copy
Type: "AWS::WAF::WebACL" Properties: DefaultAction: Action MetricName: String Name: String Rules: - Rule

Properties

DefaultAction

The action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.

Required: Yes

Type: AWS WAF WebACL Action

Update requires: No interruption

MetricName

A friendly name or description for the Amazon CloudWatch metric of this web ACL. For valid values, see the MetricName parameter of the CreateWebACL action in the AWS WAF API Reference.

Required: Yes

Type: String

Update requires: Replacement

Name

A friendly name or description of the web ACL.

Required: Yes

Type: String

Update requires: Replacement

Rules

The rules to associate with the web ACL and the settings for each rule.

Required: No

Type: List of AWS WAF WebACL Rules

Update requires: No interruption

Return Values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource name, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.

Examples

Create a Web ACL

The following example defines a web ACL that allows, by default, any web request. However, if the request matches any rule, AWS WAF blocks the request. AWS WAF evaluates each rule in priority order, starting with the lowest value.

JSON

Copy
"MyWebACL": { "Type": "AWS::WAF::WebACL", "Properties": { "Name": "WebACL to with three rules", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyRule" } }, { "Action" : { "Type" : "BLOCK" }, "Priority" : 2, "RuleId" : { "Ref" : "BadReferersRule" } }, { "Action" : { "Type" : "BLOCK" }, "Priority" : 3, "RuleId" : { "Ref" : "SqlInjRule" } } ] } }

YAML

Copy
MyWebACL: Type: "AWS::WAF::WebACL" Properties: Name: "WebACL to with three rules" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyRule" - Action: Type: "BLOCK" Priority: 2 RuleId: Ref: "BadReferersRule" - Action: Type: "BLOCK" Priority: 3 RuleId: Ref: "SqlInjRule"

Associate a Web ACL with a CloudFront Distribution

The follow example associates the MyWebACL web ACL with a CloudFront distribution. The web ACL restricts which requests can access content served by CloudFront.

JSON

Copy
"myDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "WebACLId": { "Ref" : "MyWebACL" }, "Origins": [ { "DomainName": "test.example.com", "Id": "myCustomOrigin", "CustomOriginConfig": { "HTTPPort": "80", "HTTPSPort": "443", "OriginProtocolPolicy": "http-only" } } ], "Enabled": "true", "Comment": "TestDistribution", "DefaultRootObject": "index.html", "DefaultCacheBehavior": { "TargetOriginId": "myCustomOrigin", "SmoothStreaming" : "false", "ForwardedValues": { "QueryString": "false", "Cookies" : { "Forward" : "all" } }, "ViewerProtocolPolicy": "allow-all" }, "CustomErrorResponses" : [ { "ErrorCode" : "404", "ResponsePagePath" : "/error-pages/404.html", "ResponseCode" : "200", "ErrorCachingMinTTL" : "30" } ], "PriceClass" : "PriceClass_200", "Restrictions" : { "GeoRestriction" : { "RestrictionType" : "whitelist", "Locations" : [ "AQ", "CV" ] } }, "ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" } } } }

YAML

Copy
myDistribution: Type: "AWS::CloudFront::Distribution" Properties: DistributionConfig: WebACLId: Ref: "MyWebACL" Origins: - DomainName: "test.example.com" Id: "myCustomOrigin" CustomOriginConfig: HTTPPort: "80" HTTPSPort: "443" OriginProtocolPolicy: "http-only" Enabled: "true" Comment: "TestDistribution" DefaultRootObject: "index.html" DefaultCacheBehavior: TargetOriginId: "myCustomOrigin" SmoothStreaming: "false" ForwardedValues: QueryString: "false" Cookies: Forward: "all" ViewerProtocolPolicy: "allow-all" CustomErrorResponses: - ErrorCode: "404" ResponsePagePath: "/error-pages/404.html" ResponseCode: "200" ErrorCachingMinTTL: "30" PriceClass: "PriceClass_200" Restrictions: GeoRestriction: RestrictionType: "whitelist" Locations: - "AQ" - "CV" ViewerCertificate: CloudFrontDefaultCertificate: "true"