AWS::WAFRegional::WebACL
Note
This is AWS WAF Classic documentation. For more information, see AWS WAF Classic in the developer guide.
For the latest version of AWS WAF , use the AWS WAFV2 API and see the AWS WAF Developer Guide. With the latest version, AWS WAF has a single set of endpoints for regional and global use.
Contains the Rules
that identify the requests that you want to allow, block, or count. In a WebACL
, you also specify a
default action (ALLOW
or BLOCK
), and the action for each Rule
that you add to a
WebACL
, for example, block requests from specified IP addresses or block requests from specified referrers.
If you add more than one Rule
to a WebACL
, a request needs to match only one of the specifications
to be allowed, blocked, or counted.
To identify the requests that you want AWS WAF to filter, you associate the WebACL
with an API Gateway API or an Application Load Balancer.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::WAFRegional::WebACL", "Properties" : { "DefaultAction" :
Action
, "MetricName" :String
, "Name" :String
, "Rules" :[ Rule, ... ]
} }
YAML
Type: AWS::WAFRegional::WebACL Properties: DefaultAction:
Action
MetricName:String
Name:String
Rules:- Rule
Properties
DefaultAction
-
The action to perform if none of the
Rules
contained in theWebACL
match. The action is specified by theWafAction
object.Required: Yes
Type: Action
Update requires: No interruption
MetricName
-
A name for the metrics for this
WebACL
. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain whitespace or metric names reserved for AWS WAF, including "All" and "Default_Action." You can't changeMetricName
after you create theWebACL
.Required: Yes
Type: String
Pattern:
.*\S.*
Minimum:
1
Maximum:
128
Update requires: Replacement
Name
-
A friendly name or description of the
WebACL
. You can't change the name of aWebACL
after you create it.Required: Yes
Type: String
Pattern:
.*\S.*
Minimum:
1
Maximum:
128
Update requires: Replacement
Rules
-
An array that contains the action for each
Rule
in aWebACL
, the priority of theRule
, and the ID of theRule
.Required: No
Type: Array of Rule
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the resource name, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
Examples
Create a Web ACL
The following example defines a web ACL that allows, by default, any web request. However, if the request matches any rule, AWS WAF blocks the request. AWS WAF evaluates each rule in priority order, starting with the lowest value.
JSON
"MyWebACL": { "Type": "AWS::WAFRegional::WebACL", "Properties": { "Name": "WebACL to with three rules", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyRule" } }, { "Action" : { "Type" : "BLOCK" }, "Priority" : 2, "RuleId" : { "Ref" : "BadReferersRule" } }, { "Action" : { "Type" : "BLOCK" }, "Priority" : 3, "RuleId" : { "Ref" : "SqlInjRule" } } ] } }
YAML
MyWebACL: Type: "AWS::WAFRegional::WebACL" Properties: Name: "WebACL to with three rules" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyRule" - Action: Type: "BLOCK" Priority: 2 RuleId: Ref: "BadReferersRule" - Action: Type: "BLOCK" Priority: 3 RuleId: Ref: "SqlInjRule"