aws-wafwebacl-cloudfront - AWS Solutions Constructs
OverviewPattern Construct PropsPattern PropertiesDefault settingsArchitectureGithub

aws-wafwebacl-cloudfront

Stability:Stable
Reference Documentation: https://docs.aws.amazon.com/solutions/latest/constructs/
Language Package

Python Logo Python

aws_solutions_constructs.aws_wafwebacl_cloudfront

Typescript Logo Typescript

@aws-solutions-constructs/aws-wafwebacl-cloudfront

Java Logo Java

software.amazon.awsconstructs.services.wafwebaclcloudfront

Overview

This AWS Solutions Construct implements an AWS WAF web ACL connected to Amazon CloudFront.

Here is a minimal deployable pattern definition:

Typescript
import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { CloudFrontToS3 } from '@aws-solutions-constructs/aws-cloudfront-s3';
import { WafwebaclToCloudFront } from "@aws-solutions-constructs/aws-wafwebacl-cloudfront";

const cloudfrontToS3 = new CloudFrontToS3(this, 'test-cloudfront-s3', {});

// This construct can only be attached to a configured CloudFront.
new WafwebaclToCloudFront(this, 'test-wafwebacl-cloudfront', {
    existingCloudFrontWebDistribution: cloudfrontToS3.cloudFrontWebDistribution
});
Python
from aws_solutions_constructs.aws_cloudfront_s3 import CloudFrontToS3
from aws_solutions_constructs.aws_wafwebacl_cloudfront import WafwebaclToCloudFront
from aws_cdk import Stack
from constructs import Construct

cloudfront_to_s3 = CloudFrontToS3(self, 'test_cloudfront_s3')

# This construct can only be attached to a configured CloudFront.
WafwebaclToCloudFront(self, 'test_wafwebacl_cloudfront',
                      existing_cloud_front_web_distribution=cloudfront_to_s3.cloud_front_web_distribution
                      )
Java
import software.constructs.Construct;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awsconstructs.services.cloudfronts3.*;
import software.amazon.awsconstructs.services.wafwebaclcloudfront.*;

final CloudFrontToS3 cloudfrontToS3 = new CloudFrontToS3(this, "test-cloudfront-s3",
        new CloudFrontToS3Props.Builder()
                .build());

// This construct can only be attached to a configured CloudFront.
new WafwebaclToCloudFront(this, "test-wafwebacl-cloudfront", new WafwebaclToCloudFrontProps.Builder()
        .existingCloudFrontWebDistribution(cloudfrontToS3.getCloudFrontWebDistribution())
        .build());

Pattern Construct Props

Name Type Description

existingCloudFrontWebDistribution

cloudfront.Distribution

The existing CloudFront instance that will be protected with the WAF web ACL. Note that a WAF web ACL can only be added to a configured CloudFront, so this construct only accepts an existing Distribution and does not accept cloudfrontProps.

existingWebaclObj?

waf.CfnWebACL

Existing instance of a WAF web ACL, an error will occur if this and props is set.

webaclProps?

waf.CfnWebACLProps

Optional user-provided props to override the default props for the AWS WAF web ACL. To use a different collection of managed rule sets, specify a new rules property. Use our wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number) function from core to create an array entry from each desired managed rule set.

Pattern Properties

Name Type Description

webacl

waf.CfnWebACL

Returns an instance of the waf.CfnWebACL created by the construct.

cloudFrontWebDistribution

cloudfront.Distribution

Returns an instance of cloudfront.Distribution created by the construct.

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

AWS WAF

  • Deploy a WAF web ACL with 7 AWS managed rule groups.

    • AWSManagedRulesBotControlRuleSet

    • AWSManagedRulesKnownBadInputsRuleSet

    • AWSManagedRulesCommonRuleSet

    • AWSManagedRulesAnonymousIpList

    • AWSManagedRulesAmazonIpReputationList

    • AWSManagedRulesAdminProtectionRuleSet

    • AWSManagedRulesSQLiRuleSet

      Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps

  • Send metrics to Amazon CloudWatch

Amazon CloudFront

  • User provided CloudFront object is used as-is

Architecture

Diagram showing the WAF ACL, CloudFront distribution, CloudWatch log group and IAM role created by the construct

Github

Go to the Github repo for this pattern to view the code, read/create issues and pull requests and more.