Links

AWS WAFv2

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

IP Whitelisting

Design Guidance:

AWS::WAFv2::IPSet

Description
Terraform
Name
Terraform
Ipaddress Version
Terraform
Addresses
Terraform

AWS::WAFv2::RuleGroup

Ipset Reference Statement-Arn
Terraform

Asset Inventory

AWS::WAFv2::IPSet

Tags
Terraform

AWS::WAFv2::RegexPatternSet

Tags
Terraform

AWS::WAFv2::RuleGroup

Tags
Terraform

Payload Inspection

AWS::WAFv2::RegexPatternSet

Name
Terraform

AWS::WAFv2::RuleGroup

Description
Terraform
Name
Terraform
Rules
Terraform
Rules-Name
Terraform
Rules-Priority
Terraform
Byte Match Statement-Search String
Terraform
Byte Match Statement-Search String Base64
Terraform
Field To Match-Single Header
Terraform
Field To Match-Single Query Argument
Terraform
Field To Match-All Query Arguments
Terraform
Field To Match-Uri Path
Terraform
Field To Match-Query String
Terraform
Field To Match-Body
Terraform
Field To Match-Method
Terraform
Byte Match Statement-Positional Constraint
Terraform
Size Constraint Statement-Comparison Operator
Terraform
Size Constraint Statement-Size
Terraform
Regex Pattern Set Reference Statement-Arn
Terraform

Input Validation

Design Guidance:

AWS::WAFv2::RegexPatternSet

Regular Expression List
Terraform

AWS::WAFv2::RuleGroup

Text Transformations-Priority
Terraform
Text Transformations-Type
Terraform

Firewalls

Design Guidance:

AWS::WAFv2::RuleGroup

Geo Match Statement-Country Codes
Terraform

AWS::WAFv2::WebACL

Description
Terraform
Name
Terraform

AWS::WAFv2::WebACLAssociation

Resource Arn
Terraform
Web Aclarn
Terraform

Transaction Rate-limiting

Design Guidance:

AWS::WAFv2::RuleGroup

Rate Based Statement-Limit
Terraform
Rate Based Statement-Aggregate Key Type
Terraform

Deny-all Communications and Only Allow-by-Exception

Design Guidance:

AWS::WAFv2::RuleGroup

Action-Allow
Terraform
Action-Block
Terraform
Action-Count
Terraform

AWS::WAFv2::WebACL

Default Action-Allow
Terraform
Default Action-Block
Terraform

Logging

Design Guidance:

AWS::WAFv2::RuleGroup

Visibility Config-Sampled Requests Enabled
Terraform
Visibility Config-Cloud Watch Metrics Enabled
Terraform
Visibility Config-Metric Name
Terraform