AWS CloudFormation
User Guide (API Version 2010-05-15)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

AWS::WAFRegional::WebACL

AWS::WAFRegional::WebACL 资源创建一个 AWS WAF 区域 Web 访问控制组 (ACL),其中包含的规则用于识别要允许、阻止或计数的 Amazon CloudFront (CloudFront) Web 请求。有关更多信息,请参阅 AWS WAF 区域 API 参考 中的 CreateWebACL

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

Copy
{ "Type" : "AWS::WAFRegional::WebACL", "Properties" : { "DefaultAction" : Action, "MetricName" : String, "Name" : String, "Rules" : [ Rule, ... ] } }

YAML

Copy
Type: "AWS::WAFRegional::WebACL" Properties: DefaultAction: Action MetricName: String Name: String Rules: - Rule

属性

DefaultAction

当请求不符合此 Web ACL 关联的任意规则中的条件时您需要 AWS WAF 采取的操作。

Required: Yes

Type: AWS WAF 区域 WebACL 操作

更新要求无需中断

MetricName

此 Web ACL 的 Amazon CloudWatch 指标的易记名称或描述。有关有效值的信息,请参阅 AWS WAF 区域 API 参考CreateWebACL 操作的 MetricName 参数。

Required: Yes

Type: String

更新要求替换

Name

Web ACL 的易记名称或描述。

Required: Yes

Type: String

更新要求替换

Rules

要与 Web ACL 关联的规则及每条规则的设置。

Required: No

Type: AWS WAF 区域 WebACL 规则 列表

更新要求无需中断

返回值

Ref

当向 Ref 内部函数提供此资源的逻辑 ID 时,Ref 将返回此资源名称,如 1234a1a-a1b1-12a1-abcd-a123b123456

有关使用 Ref 功能的更多信息,请参阅参考

示例

创建 Web ACL

下面的示例定义一个默认允许任意 Web 请求的 Web ACL。但是,如果请求匹配任意规则,则 AWS WAF 阻止此请求。AWS WAF 按优先级顺序(从最小值开始)评估每条规则。

JSON

Copy
"MyWebACL": { "Type": "AWS::WAFRegional::WebACL", "Properties": { "Name": "WebACL to with three rules", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyRule" } }, { "Action" : { "Type" : "BLOCK" }, "Priority" : 2, "RuleId" : { "Ref" : "BadReferersRule" } }, { "Action" : { "Type" : "BLOCK" }, "Priority" : 3, "RuleId" : { "Ref" : "SqlInjRule" } } ] } }

YAML

Copy
MyWebACL: Type: "AWS::WAFRegional::WebACL" Properties: Name: "WebACL to with three rules" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyRule" - Action: Type: "BLOCK" Priority: 2 RuleId: Ref: "BadReferersRule" - Action: Type: "BLOCK" Priority: 3 RuleId: Ref: "SqlInjRule"

关联 Web ACL 与 CloudFront 分配

下面的示例将 MyWebACL Web ACL 关联到 CloudFront 分配。Web ACL 限制哪些请求能够访问 CloudFront 提供的内容。

JSON

Copy
"myDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "WebACLId": { "Ref" : "MyWebACL" }, "Origins": [ { "DomainName": "test.example.com", "Id": "myCustomOrigin", "CustomOriginConfig": { "HTTPPort": "80", "HTTPSPort": "443", "OriginProtocolPolicy": "http-only" } } ], "Enabled": "true", "Comment": "TestDistribution", "DefaultRootObject": "index.html", "DefaultCacheBehavior": { "TargetOriginId": "myCustomOrigin", "SmoothStreaming" : "false", "ForwardedValues": { "QueryString": "false", "Cookies" : { "Forward" : "all" } }, "ViewerProtocolPolicy": "allow-all" }, "CustomErrorResponses" : [ { "ErrorCode" : "404", "ResponsePagePath" : "/error-pages/404.html", "ResponseCode" : "200", "ErrorCachingMinTTL" : "30" } ], "PriceClass" : "PriceClass_200", "Restrictions" : { "GeoRestriction" : { "RestrictionType" : "whitelist", "Locations" : [ "AQ", "CV" ] } }, "ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" } } } }

YAML

Copy
myDistribution: Type: "AWS::CloudFront::Distribution" Properties: DistributionConfig: WebACLId: Ref: "MyWebACL" Origins: - DomainName: "test.example.com" Id: "myCustomOrigin" CustomOriginConfig: HTTPPort: "80" HTTPSPort: "443" OriginProtocolPolicy: "http-only" Enabled: "true" Comment: "TestDistribution" DefaultRootObject: "index.html" DefaultCacheBehavior: TargetOriginId: "myCustomOrigin" SmoothStreaming: "false" ForwardedValues: QueryString: "false" Cookies: Forward: "all" ViewerProtocolPolicy: "allow-all" CustomErrorResponses: - ErrorCode: "404" ResponsePagePath: "/error-pages/404.html" ResponseCode: "200" ErrorCachingMinTTL: "30" PriceClass: "PriceClass_200" Restrictions: GeoRestriction: RestrictionType: "whitelist" Locations: - "AQ" - "CV" ViewerCertificate: CloudFrontDefaultCertificate: "true"

本页内容: