fms-webacl-resource-policy-check - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Checks if the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions. When Amazon Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId in the FMS policy and can optionally enable remediation.


Resource Types: AWS::CloudFront::Distribution, AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::WAFRegional::WebACL

Trigger type: Configuration changes

Amazon Web Services Region: All supported Amazon regions except Canada West (Calgary) Region


Type: String

The WebACLId of the web ACL.

resourceTags (Optional)
Type: String

The resource tags (ApplicationLoadBalancer, ApiGatewayStage and CloudFront distributions) that the rule should be associated with. (for example, { "tagKey1" : ["tagValue1"], "tagKey2" : ["tagValue2", "tagValue3"] })

excludeResourceTags (Optional)
Type: boolean

If true, exclude resources that match resourceTags.

fmsManagedToken (Optional)
Type: String

A token generated by Amazon Firewall Manager when creating the rule in customer account. Amazon Config ignores this parameter when customer creates this rule.

fmsRemediationEnabled (Optional)
Type: boolean

If true, Amazon Firewall Manager will update non-compliant resources according to FMS policy. Amazon Config ignores this parameter when customer creates this rule.

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.