A collection of AWS Security controls for AWS WAF and AWS Shield. Configuration items include templates to set up AWS Managed Rules for AWS WAF Rules in an AWS account to protect CloudFront, API Gateway and ALB resources. Rules include general vulnerability and OWASP protections, known bad IP lists, specific use-cases such as WordPress or SQL database protections, and more
Configuration to create WAF Web ACLs with AWS Managed Rules to protect internet-facing applications. Web ACLs can be applied to CloudFront distributions, Application Load Balancers (ALBs), and API Gateways.
An AWS WAF Web ACL to protect against common vulnerabilities and known bad inputs and IP addresses. The Web ACL uses AWS Managed Rules to protect internet-facing applications. Web ACLs can be applied to CloudFront distributions, Application Load Balancers (ALBs), and API Gateways.
An AWS WAF Web ACL to protect applications with SQL databases. The Web ACL uses AWS Managed Rules to protect internet-facing applications. Web ACLs can be applied to CloudFront distributions, Application Load Balancers (ALBs), and API Gateways.
An AWS WAF Web ACL to protect PHP web applications. The Web ACL uses AWS Managed Rules to protect internet-facing applications. Web ACLs can be applied to CloudFront distributions, Application Load Balancers (ALBs), and API Gateways.
Creates an AWS WAFv2 Regex Pattern Set with multiple regular expressions and tags.
Creates a simple AWS WAFv2 Rule Group with a single rule that allows requests from specified countries.
Creates a Web ACL with a managed rule group for common AWS rules and specific overrides.
Sets up a Web ACL for preventing account creation fraud using AWS managed rules with specific path configurations.
Implements a Web ACL to protect against account takeover attempts using AWS managed rules focused on login paths.
Configures a rate-based rule to limit requests from US and NL IP addresses on CloudFront distributions.
Demonstrates the use of a rule group within a Web ACL, including rule overrides.
Configures a Web ACL to inspect large request bodies across various AWS services.
This template creates an AWS API Gateway and associates it with a WAFv2 Web ACL to protect the API.
Configures WAFv2 Web ACL logging with specific fields redacted for privacy.
Configures WAFv2 Web ACL logging with filters to selectively log requests based on specified conditions.
Sets up WAFv2 Web ACL logging to a CloudWatch Log Group with a managed CloudWatch Log Resource Policy to handle permissions.
Creates a notification channel for Firewall Manager to send alerts and notifications to a specified email address.
This template creates a Firewall Manager AWS WAF policy. The policy is used for the latest version of AWS WAF and includes pre-process rule groups, post-process rule groups, and a default action of BLOCK.
This template creates a Firewall Manager AWS WAF Classic policy. The policy includes a default action of BLOCK and a rule group with an override action of NONE.
This template creates an AWS Firewall Manager policy that applies to specified resource types and includes resource tags and account ID. The policy is named TaggedPolicy and is configured to exclude resource tags, include specified resource types, and apply a security service policy for Shield Advanced.
This template creates a Firewall Manager common security group policy. The policy includes a revert manual security group changes option and a security group ID.
This template creates a Firewall Manager content audit security group policy. The policy includes a security group action of ALLOW and a security group ID.
This template creates a Firewall Manager usage audit security group policy. The policy includes options for deleting unused security groups and coalescing redundant security groups.
This template creates a Firewall Manager Network Firewall policy. The policy includes stateless and stateful rule group references, default actions, custom actions, and orchestration configuration.
This template creates a Firewall Manager DNS Firewall policy. The policy includes pre-process and post-process rule groups with priorities.
This template creates an AWS Shield DRT Access resource to provide access to the Shield response team (SRT), including granting access to additional data outside of the web ACL logs. It also creates two S3 buckets for the additional data and an IAM Role with the necessary permissions for the DRT Access resource.
This template creates a proactive engagement configuration with proactive engagement enabled and two emergency contacts. The proactive engagement status is set to enabled and the emergency contact list includes email addresses, contact notes, and phone numbers for each contact.
This template creates an application layer protection for an application load balancer. It creates a Shield Protection resource and configures it.
This template creates an AWS Shield protection group for all protected resources.
This template creates an AWS Shield protection group for all Elastic IP address resources that have AWS Shield Advanced protection.
This template configures an AWS Shield Application Layer Automatic Response to perform a COUNT action on a specified CloudFront distribution for DDoS mitigation.
A Config rule that checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). This rule is NON_COMPLIANT if key: waf.enabled is set to false.
A Config rule that checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter.
A Config rule that checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
A config rule that checks whether the web ACL is associated with an Application Load Balancer or Amazon CloudFront distributions. When AWS Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId in the FMS policy and can optionally enable remediation.
A config rule that checks that the rule groups associate with the web ACL at the correct priority. The correct priority is decided by the rank of the rule groups in the ruleGroups parameter. When AWS Firewall Manager creates this rule, it assigns the highest priority 0 followed by 1, 2, and so on. The FMS policy owner specifies the ruleGroups rank in the FMS policy and can optionally enable remediation.
A Config rule that checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection. This rule also checks if they have web ACL associated for Application Load Balancer and Amazon CloudFront distributions.
A Config rule that checks whether AWS Shield Advanced is enabled in your AWS account and this subscription is set to automatically renew.
A config rule that checks that that DDoS response team (DRT) can access AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for DRT access is not configured.
Checks if WAFv2 Rule Groups contain rules. The rule is NON_COMPLIANT if there are no rules in a WAFv2 Rule Group.
Checks if a WAFv2 Web ACL contains any WAF rules or WAF rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rules or WAF rule groups.
Checks if an AWS WAF Classic rule group contains any rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
Checks if an AWS WAF global rule contains any conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
Checks whether a WAF Global Web ACL contains any WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
Checks if WAF Regional rule groups contain any rules. The rule is NON_COMPLIANT if there are no rules present within a WAF Regional rule group.
Checks whether WAF regional rule contains conditions. This rule is COMPLIANT if the regional rule contains at least one condition and NON_COMPLIANT otherwise.
Checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is NON_COMPLIANT if there are no WAF rules or rule groups present within a Web ACL.