AWS::WAF::WebACL - AWS CloudFormation
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS::WAF::WebACL

包含用于识别要允许、阻止或计数的请求的 Rules。在 WebACL 中,还指定默认操作(ALLOWBLOCK),并为添加到 WebACL 的每个 Rule 指定操作,例如,阻止来自指定 IP 地址的请求或者阻止来自指定引用站点的请求。您还可以将 WebACL 与 CloudFront 分配相关联,以标识您希望 AWS WAF 筛选的请求。如果向 WebACL 添加多个 Rule,则请求只需要匹配要允许、阻止或计数的其中一个规范。

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

{ "Type" : "AWS::WAF::WebACL", "Properties" : { "DefaultAction" : WafAction, "MetricName" : String, "Name" : String, "Rules" : [ ActivatedRule, ... ] } }

YAML

Type: AWS::WAF::WebACL Properties: DefaultAction: WafAction MetricName: String Name: String Rules: - ActivatedRule

属性

DefaultAction

如果 WebACL 中包含的 Rules 均不匹配,则为要执行的操作。该操作由 WafAction 对象指定。

必需:是

类型WafAction

Update requires: No interruption

MetricName

WebACL 的指标的易记名称或描述。该名称只能包含字母数字字符(A-Z、a-z、0-9),最大长度为 128 和最小长度为 1。它不能包含空格或为 AWS WAF 预留的指标名称,包括“All”和“Default_Action”。 您在创建 WebACL 后无法更改 MetricName

必需:是

类型:字符串

最低1

最高128

模式.*\S.*

Update requires: Replacement

Name

WebACL 的易记名称或描述。您在创建 WebACL 后无法更改其名称。

必需:是

类型:字符串

最低1

最高128

模式.*\S.*

Update requires: Replacement

Rules

一个数组,包含 WebACL 中每个 Rule 的操作、Rule 的优先级以及 Rule 的 ID。

必需:否

类型ActivatedRule 的列表

Update requires: No interruption

返回值

Ref

在将此资源的逻辑 ID 传递给内部 Ref 函数时,Ref 返回资源名称,例如 1234a1a-a1b1-12a1-abcd-a123b123456。

For more information about using the Ref function, see Ref.

示例

创建 Web ACL

以下示例定义一个默认允许任意 Web 请求的 Web ACL。但是,如果请求匹配任意规则,则 AWS WAF 阻止此请求。AWS WAF 按优先级顺序(从最小值开始)评估每条规则。

JSON

"MyWebACL": { "Type": "AWS::WAF::WebACL", "Properties": { "Name": "WebACL to with three rules", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyRule" } }, { "Action" : { "Type" : "BLOCK" }, "Priority" : 2, "RuleId" : { "Ref" : "BadReferersRule" } }, { "Action" : { "Type" : "BLOCK" }, "Priority" : 3, "RuleId" : { "Ref" : "SqlInjRule" } } ] } }

YAML

MyWebACL: Type: "AWS::WAF::WebACL" Properties: Name: "WebACL to with three rules" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyRule" - Action: Type: "BLOCK" Priority: 2 RuleId: Ref: "BadReferersRule" - Action: Type: "BLOCK" Priority: 3 RuleId: Ref: "SqlInjRule"

将 Web ACL 与 CloudFront 分配关联

以下示例将 MyWebACL Web ACL 与 CloudFront 分配关联。Web ACL 限制哪些请求能够访问 CloudFront 提供的内容。

JSON

"myDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "WebACLId": { "Ref" : "MyWebACL" }, "Origins": [ { "DomainName": "test.example.com", "Id": "myCustomOrigin", "CustomOriginConfig": { "HTTPPort": "80", "HTTPSPort": "443", "OriginProtocolPolicy": "http-only" } } ], "Enabled": "true", "Comment": "TestDistribution", "DefaultRootObject": "index.html", "DefaultCacheBehavior": { "TargetOriginId": "myCustomOrigin", "SmoothStreaming" : "false", "ForwardedValues": { "QueryString": "false", "Cookies" : { "Forward" : "all" } }, "ViewerProtocolPolicy": "allow-all" }, "CustomErrorResponses" : [ { "ErrorCode" : "404", "ResponsePagePath" : "/error-pages/404.html", "ResponseCode" : "200", "ErrorCachingMinTTL" : "30" } ], "PriceClass" : "PriceClass_200", "Restrictions" : { "GeoRestriction" : { "RestrictionType" : "whitelist", "Locations" : [ "AQ", "CV" ] } }, "ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" } } } }

YAML

myDistribution: Type: "AWS::CloudFront::Distribution" Properties: DistributionConfig: WebACLId: Ref: "MyWebACL" Origins: - DomainName: "test.example.com" Id: "myCustomOrigin" CustomOriginConfig: HTTPPort: "80" HTTPSPort: "443" OriginProtocolPolicy: "http-only" Enabled: "true" Comment: "TestDistribution" DefaultRootObject: "index.html" DefaultCacheBehavior: TargetOriginId: "myCustomOrigin" SmoothStreaming: "false" ForwardedValues: QueryString: "false" Cookies: Forward: "all" ViewerProtocolPolicy: "allow-all" CustomErrorResponses: - ErrorCode: "404" ResponsePagePath: "/error-pages/404.html" ResponseCode: "200" ErrorCachingMinTTL: "30" PriceClass: "PriceClass_200" Restrictions: GeoRestriction: RestrictionType: "whitelist" Locations: - "AQ" - "CV" ViewerCertificate: CloudFrontDefaultCertificate: "true"