Migrating a protection pack or web ACL: automated migration

To automatically migrate a protection pack or web ACL configuration from Amazon WAF Classic to Amazon WAF

1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/homev2.

2. Choose Switch to Amazon WAF Classic and review your configuration settings for the protection pack or web ACL. Make note of the settings, considering the caveats and limitations described in the preceding section, Migration caveats and limitations.

3. In the informational dialogue at the top, locate the sentence that starts with Migrate protection pack or web ACLs and choose the link to the migration wizard. This launches the migration wizard.

   If you don't see the informational dialogue, you might have closed it since you launched the Amazon WAF Classic console. In the navigation bar, choose Switch to new Amazon WAF then choose Switch to Amazon WAF Classic, and the informational dialogue should reappear.

4. Select the protection pack or web ACL that you want to migrate.

5. For Migration configuration, provide an Amazon S3 bucket to use for the template. You need an Amazon S3 bucket that's configured properly for the migration API, to store the Amazon CloudFormation template that it generates.

   • If the bucket is encrypted, the encryption must use Amazon S3 (SSE-S3) keys. The migration doesn't support encryption with Amazon Key Management Service (SSE-KMS) keys.

   • The bucket name must start with aws-waf-migration-. For example, aws-waf-migration-my-web-acl.

   • The bucket must be in the Region where you are deploying the template. For example, for a protection pack or web ACL in us-west-2, you must use an Amazon S3 bucket in us-west-2 and you must deploy the template stack to us-west-2.

6. For S3 bucket policy, we recommend choosing Auto apply the bucket policy required for migration. Alternatively, if you want to manage the bucket on your own, you must manually apply the following bucket policy:

   • For global Amazon CloudFront applications (waf):

     
     {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Principal": {
                     "Service": "apiv2migration.waf.amazonaws.com"
                 },
                 "Action": "s3:PutObject",
                 "Resource": "arn:aws:s3:::<BUCKET_NAME>/AWSWAF/<CUSTOMER_ACCOUNT_ID>/*"
             }
         ]
     }

   • For regional Amazon API Gateway or Application Load Balancer applications (waf-regional):

     
     {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Principal": {
                     "Service": "apiv2migration.waf-regional.amazonaws.com"
                 },
                 "Action": "s3:PutObject",
                 "Resource": "arn:aws:s3:::<BUCKET_NAME>/AWSWAF/<CUSTOMER_ACCOUNT_ID>/*"
             }
         ]
     }

7. For Choose how to handle rules that cannot be migrated, choose either to exclude rules that can't be migrated, or to stop the migration. For information about rules that can't be migrated, see Migration caveats and limitations.

8. Choose Next.

9. For Create Amazon CloudFormation template, verify your settings, then choose Start creating Amazon CloudFormation template to begin the migration process. This can take a few minutes, depending on the complexity of your protection pack or web ACL.

10. In Create and run Amazon CloudFormation stack to complete migration, you can choose to go to the Amazon CloudFormation console to create a stack from the template, to create the new protection pack or web ACL and its resources. To do this, choose Create Amazon CloudFormation stack.