AWS::NetworkFirewall::FirewallPolicy - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Use the AWS::NetworkFirewall::FirewallPolicy to define the stateless and stateful network traffic filtering behavior for your AWS::NetworkFirewall::Firewall. You can use one firewall policy for multiple firewalls.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::NetworkFirewall::FirewallPolicy", "Properties" : { "Description" : String, "FirewallPolicy" : FirewallPolicy, "FirewallPolicyName" : String, "Tags" : [ Tag, ... ] } }


Type: AWS::NetworkFirewall::FirewallPolicy Properties: Description: String FirewallPolicy: FirewallPolicy FirewallPolicyName: String Tags: - Tag



A description of the firewall policy.

Required: No

Type: String

Pattern: ^.*$

Minimum: 1

Maximum: 512

Update requires: No interruption


The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.

Required: Yes

Type: FirewallPolicy

Update requires: No interruption


The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9-]+$

Minimum: 1

Maximum: 128

Update requires: Replacement


An array of key-value pairs to apply to this resource.

For more information, see Tag.

Required: No

Type: Array of Tag

Minimum: 1

Maximum: 200

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall policy. For example:

{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall-policy/myFirewallPolicyName" }

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::FirewallPolicy.


The unique ID of the AWS::NetworkFirewall::FirewallPolicy resource.


Create a firewall policy

The following shows example firewall policy specifications.


"SampleFirewallPolicy": { "Type": "AWS::NetworkFirewall::FirewallPolicy", "Properties": { "FirewallPolicyName": "SampleFirewallPolicyName", "FirewallPolicy": { "StatelessDefaultActions": [ "aws:pass" ], "StatelessFragmentDefaultActions": [ "aws:drop" ], "StatefulRuleGroupReferences": [ { "ResourceArn": { "Ref": "SampleStatefulRuleGroup" } } ], "StatelessRuleGroupReferences": [ { "ResourceArn": { "Ref": "SampleStatelessRuleGroup" }, "Priority": 100 } ] }, "Description": "FirewallPolicy description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }


SampleFirewallPolicy: Type: 'AWS::NetworkFirewall::FirewallPolicy' Properties: FirewallPolicyName: SampleFirewallPolicyName FirewallPolicy: StatelessDefaultActions: - 'aws:pass' StatelessFragmentDefaultActions: - 'aws:drop' StatefulRuleGroupReferences: - ResourceArn: !Ref SampleStatefulRuleGroup1 StatelessRuleGroupReferences: - ResourceArn: !Ref SampleStatelessRuleGroup Priority: 100 Description: FirewallPolicy description goes here Tags: - Key: Foo Value: Bar