AWS::NetworkFirewall::FirewallPolicy
Use the AWS::NetworkFirewall::FirewallPolicy to define the stateless and stateful network traffic filtering behavior for your AWS::NetworkFirewall::Firewall. You can use one firewall policy for multiple firewalls.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::NetworkFirewall::FirewallPolicy", "Properties" : { "Description" :String, "FirewallPolicy" :FirewallPolicy, "FirewallPolicyName" :String, "Tags" :[ Tag, ... ]} }
YAML
Type: AWS::NetworkFirewall::FirewallPolicy Properties: Description:StringFirewallPolicy:FirewallPolicyFirewallPolicyName:StringTags:- Tag
Properties
Description-
A description of the firewall policy.
Required: No
Type: String
Pattern:
^.*$Minimum:
1Maximum:
512Update requires: No interruption
FirewallPolicy-
The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
Required: Yes
Type: FirewallPolicy
Update requires: No interruption
FirewallPolicyName-
The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
Required: Yes
Type: String
Pattern:
^[a-zA-Z0-9-]+$Minimum:
1Maximum:
128Update requires: Replacement
-
An array of key-value pairs to apply to this resource.
For more information, see Tag.
Required: No
Type: Array of Tag
Minimum:
1Maximum:
200Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall policy. For example:
{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall-policy/myFirewallPolicyName" }
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
FirewallPolicyArn-
The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::FirewallPolicy.
FirewallPolicyId-
The unique ID of the AWS::NetworkFirewall::FirewallPolicy resource.
Examples
Create a firewall policy
The following shows example firewall policy specifications.
JSON
"SampleFirewallPolicy": { "Type": "AWS::NetworkFirewall::FirewallPolicy", "Properties": { "FirewallPolicyName": "SampleFirewallPolicyName", "FirewallPolicy": { "StatelessDefaultActions": [ "aws:pass" ], "StatelessFragmentDefaultActions": [ "aws:drop" ], "StatefulRuleGroupReferences": [ { "ResourceArn": { "Ref": "SampleStatefulRuleGroup" } } ], "StatelessRuleGroupReferences": [ { "ResourceArn": { "Ref": "SampleStatelessRuleGroup" }, "Priority": 100 } ] }, "Description": "FirewallPolicy description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }
YAML
SampleFirewallPolicy: Type: 'AWS::NetworkFirewall::FirewallPolicy' Properties: FirewallPolicyName: SampleFirewallPolicyName FirewallPolicy: StatelessDefaultActions: - 'aws:pass' StatelessFragmentDefaultActions: - 'aws:drop' StatefulRuleGroupReferences: - ResourceArn: !Ref SampleStatefulRuleGroup1 StatelessRuleGroupReferences: - ResourceArn: !Ref SampleStatelessRuleGroup Priority: 100 Description: FirewallPolicy description goes here Tags: - Key: Foo Value: Bar
