fms-webacl-resource-policy-check
Checks if the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions. When Amazon Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId
in the FMS policy and can optionally enable remediation.
Identifier: FMS_WEBACL_RESOURCE_POLICY_CHECK
Resource Types: AWS::CloudFront::Distribution, AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::WAFRegional::WebACL
Trigger type: Configuration changes
Amazon Web Services Region: All supported Amazon regions except US ISO West (Northern California), US ISO East, Asia Pacific (Malaysia), US ISOB East (Ohio), Canada West (Calgary) Region
Parameters:
- webACLId
- Type: String
-
The WebACLId of the web ACL.
- resourceTags (Optional)
- Type: String
-
The resource tags (ApplicationLoadBalancer, ApiGatewayStage and CloudFront distributions) that the rule should be associated with. (for example, { "tagKey1" : ["tagValue1"], "tagKey2" : ["tagValue2", "tagValue3"] })
- excludeResourceTags (Optional)
- Type: boolean
-
If true, exclude resources that match resourceTags.
- fmsManagedToken (Optional)
- Type: String
-
A token generated by Amazon Firewall Manager when creating the rule in customer account. Amazon Config ignores this parameter when customer creates this rule.
- fmsRemediationEnabled (Optional)
- Type: boolean
-
If true, Amazon Firewall Manager will update non-compliant resources according to FMS policy. Amazon Config ignores this parameter when customer creates this rule.
Amazon CloudFormation template
To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.