4

I am trying to create a WebACL with cloudformation in order to protect the application API from abuse, the idea is throttle the API access for a maximum of 100 request for ip in 5 minutes.

For this purpose I have to use WAFv2 because the first version only seems to support:

  • Static blacklisting
  • Byte match
  • Size constraint
  • XSS
  • SQLi

Documentation of WAFv2: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html

I wrote this as example:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  WebACL:
    Type: 'AWS::WAFv2::WebACL'
    Properties:
      Name: WebAclLimit100
      Scope: "REGIONAL"
      DefaultAction:
        Type: ALLOW
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: WebAcLimit100

But when I try to upload this on CloudFormation, the creation fails with this message:

Model validation failed (#: extraneous key [Type] is not permitted)

I think that the problem is on these lines:

      DefaultAction:
        Type: ALLOW

But I don't get how I can assign the DefaultAction without get a failure on CloudFormation, I tried many times (differently of course) and can't find the right way. No examples on internet for WAFv2, and the syntax for the first version of WAF don't seem compatible :(

Newbie
  • 43
  • 1
  • 5

2 Answers2

3

You need to change the 'DefaultAction' as this requires a JSON value: Please follow the Example section here WAFv2 template

AWSTemplateFormatVersion: 2010-09-09
 Resources:
   WebACL:
    Type: 'AWS::WAFv2::WebACL'
    Properties:
     Name: WebAclLimit100
     Scope: "REGIONAL"
     DefaultAction:
      Allow: {}
     VisibilityConfig:
      SampledRequestsEnabled: true
      CloudWatchMetricsEnabled: true
      MetricName: WebAcLimit100
sheetal nainwal
  • 31
  • 3
2

Hi Newbie the following worked for me

  AWSTemplateFormatVersion: 2010-09-09
  Resources:
    WebACL:
      Type: 'AWS::WAFv2::WebACL'
      Properties:
        Name: WebAclLimit100
        Scope: "REGIONAL"
        DefaultAction:
          Allow:
            Type: ALLOW
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName: WebAcLimit100
Andrew Allison
  • 1,122
  • 2
  • 13
  • 30
  • Yes, I'm feel close the solution because now the process finished as `CREATED_COMPLETE`, but if I go to WAF console to search this new resource do not appears. And if I list all the WebACL with the awscli (`aws waf list-web-acls `) return an empty object. It is normal? – Newbie Dec 13 '19 at 17:16
  • 1
    You will need a new-ish AWS CLI and use `aws wafv2 list-web-acls --scope REGIONAL`. Also there are two WAF "consoles" right now. One for the "AWS WAF Classic." (URL staring with `https://console.aws.amazon.com/wafv2/home/`) and one for the WAFv2 (URL starting with `https://console.aws.amazon.com/wafv2/homev2/`). – Marin Purgar Dec 13 '19 at 18:41
  • 1
    With version 1.16.302 and your command now I can see them, It's a little weird to me because on the web console do not appears, but I can work via CLI. Thank you very much Andrew and Marin for your help. – Newbie Dec 13 '19 at 20:23