Kinesis_firehose_name: name for kinesis firehose that is the aws waf logging destination (it has to starts with aws-waf-logs-) Global_policy_default_action (ALLOW by default)įor regional Firewall Manager WAF policy: Global_policy_overrideCustomerWebACLAssociation (true by default) Global_policy_resource_tags: map of resource tags that aws firewall manager will check to associate web acl Global_policy_orgunit_list: org unit of the workload accounts to deploy FM security policy for Shield Advanced Global_policy_remediation_enabled (true by default) Global_policy_name: name for the AWS Firewall Manager WAF policy for CloudFront distributions Available options: option1, option2 and option3. Logging_option: variable that defines the logging resources to create. The following variables are the most important ones, but please check the file 0-variables_firewall.tf for a complete visibility.Ĭreate_global_fms_waf_policy: enable or disable the creation of AWS Firewall Manager WAF policy with GLOBAL scopeĬreate_regional_fms_waf_policy: enable or disable the creation of AWS Firewall Manager WAF policy with REGIONAL scopeĬreate_waf_geo_rule_group: enable or disable the creation of AWS WAF rule group with Geolocation (it is not part of AWS Firewall Manager Policy by default)Ĭreate_waf_regex_rule_group: enable or disable the creation of AWS WAF rule group with Regex pattern (it is not part of AWS Firewall Manager Policy by default)Ĭreate_waf_sqli_rule_group: enable or disable the creation of AWS WAF rule group with SQLi rule (it is not part of AWS Firewall Manager Policy by default)Ĭreate_waf_xss_rule_group: enable or disable the creation of AWS WAF rule group with XSS rule (it is not part of AWS Firewall Manager Policy by default)Ĭreate_waf_ip_rule_group: enable or disable the creation of AWS WAF rule group with IP set (it is not part of AWS Firewall Manager Policy by default)
The intention of this document is to provide a clear documentation about the artifacts created to deploy AWS WAF and its configuration using Terraform as IaC provider.ĪWS Firewall Manager WAF policy with account and resource scopeĬentralized logging configuration for AWS WAF Web ACLsĪutomation of AWS WAF IP set with CloudFront IP addresses and AWS WAF IP ruleĬreation of AWS WAF custom rules (XSS, Regex, IP set, SQLi, Rate based)ĪWS Managed Bot rules are used as an exampleĪWS WAF Rate based rule deployed with AWS Firewall Managerģ types of logging configuration: 1) Kinesis -> S3, 2) Kinesis -> (cross account) S3 -> ES (private in VPC) and 3) Kinesis->lambda->ES->Kibana in the same account Architecture Check documentation under the folder /documentation.
0 kommentar(er)
