15

我找不到任何关于如何通过CloudFormation将 WAF 与 ALB 关联的示例或文档。据说这条新闻公告可能会发生https://aws.amazon.com/about-aws/whats-new/2017/05/cloudformation-support-for-aws-waf-on-alb/但什么也没有我发现这说明了如何。使用 CloudFront 代替 ALB 有据可查,但我还没有找到一个关于使用 ALB 的示例(通过 CloudFormation)。

更新:我不需要为我完成整个设置的完整示例,但至少需要一个片段来指出 WAF 如何知道与 ALB 关联,反之亦然。链接是缺少的。

4

2 回答 2

20

为了解决这个问题,我浏览了他们的发布历史并找到了更新以支持 WAF 和 ALB http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html的 CloudFormation 资源, 从那里我能够推断链接组件是映射 WAF 和 ALB 的 WebACLAssociation。但这也要求您必须使用 WAFRegional 而不是普通的 WebACL。到目前为止,这似乎只是意味着在整个代码中将 ::WAF 更改为 ::WAFRegional 。

WAFRegional (AWS::WAFRegional::WebACL): http ://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webacl.html

"MyWebACL": {
  "Type": "AWS::WAFRegional::WebACL",
  "Properties": {
    "Name": "WebACL to with three rules",
    "DefaultAction": {
      "Type": "ALLOW"
    },
    "MetricName" : "MyWebACL",
    "Rules": [
      {
        "Action" : {
          "Type" : "BLOCK"
        },
        "Priority" : 1,
        "RuleId" : { "Ref" : "MyRule" }
      },
      {
        "Action" : {
          "Type" : "BLOCK"
        },
        "Priority" : 2,
        "RuleId" : { "Ref" : "BadReferersRule" }
      },
      {
        "Action" : {
          "Type" : "BLOCK"
        },
        "Priority" : 3,
        "RuleId" : { "Ref" : "SqlInjRule" }
      }
    ]
  }      
}

WebACLAssociation (AWS::WAFRegional::WebACLAssociation) http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html

    "MyWebACLAssociation": {
  "Type": "AWS::WAFRegional::WebACLAssociation",
  "Properties": {
    "ResourceArn": { "Ref": "MyLoadBalancer" },
    "WebACLId": { "Ref": "MyWebACL" }
  }
}
于 2017-08-02T21:13:11.620 回答
4

以下是 YAML 格式的示例。

   Resources:
    WafAcldev:
     DependsOn: Whitelist
     DependsOn: WafRule
     Type: AWS::WAF::WebACL
     Condition: CreateDEVResources
     Properties:
      DefaultAction:
        Type: "BLOCK"
      MetricName: test
      Name: test
      Rules:
        -
          Action:
            Type: "ALLOW"
          Priority: 1
          RuleId: !Ref WafRule

    WafRule:
        DependsOn: WhitelistIPdev
        Type: AWS::WAF::Rule
        Condition: CreateDEVResources
        Properties:
          MetricName: test
          Name: test
          Predicates:
            -
              DataId:
               Ref: "Whitelist"
              Negated: false
              Type: "IPMatch"

    MyWebACLAssociation:
          Type: "AWS::WAFRegional::WebACLAssociation"
          Properties:
            ResourceArn: arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/app/my-load-balancer/1234567890123456/1234567890123456
            WebACLId:
              Ref: WafAcldev
    Whitelist:
        Type: AWS::WAF::IPSet
        Condition: CreateDEVResources
        Properties:
          Name: "IPSet for Whitelisted IP adresses"
          IPSetDescriptors:
            -
             Type: "IPV4"
             Value: "213.126.223.11/32"
            -
于 2019-08-09T15:36:26.877 回答