AWS WAF CDK Python How to change rule action

hightest Published at Dev

hightest

Here is my python cdk code which create 2 rules "AWS-AWSManagedRulesCommonRuleSet" and "AWS-AWS-ManagedRulesAmazonIpReputationList". In each rule there are child rules that i can change their Rule Actions to Count, the question is how can i add this to my code, i didn't find any good explanation for those child rules.

Added some changes but still doesn't work, i get this error:

Resource handler returned message: "Error reason: You have used none or multiple values for a field that requires exactly one value., field: RULE, parameter: Rule (Service: Wafv2, Status Code: 400, Request ID: 248d9235-bd01-49f4-963b-109bac2776c5, Extended Request ID: null)" (RequestToken: 8bb5****-****-3e95-****- 
8e336ae3eed4, HandlerErrorCode: InvalidRequest)

the code:

class PyCdkStack(core.Stack):

def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None:
    super().__init__(scope, construct_id, **kwargs)

    web_acl = wafv2.CfnWebACL(
        scope_=self, id='WebAcl',
        default_action=wafv2.CfnWebACL.DefaultActionProperty(allow={}),
        scope='REGIONAL',
        visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
            cloud_watch_metrics_enabled=True,
            sampled_requests_enabled=True,
            metric_name='testwafmetric',
        ),
        name='Test-Test-WebACL',
        rules=[
            {
                'name': 'AWS-AWSManagedRulesCommonRuleSet',
                'priority': 1,
                'statement': {
                    'RuleGroupReferenceStatement': {
                        'vendorName': 'AWS',
                        'name': 'AWSManagedRulesCommonRuleSet',
                        'ARN': 'string',
                        "ExcludedRules": [
                            {
                                "Name": "CrossSiteScripting_QUERYARGUMENTS"
                            },
                            {
                                "Name": "GenericLFI_QUERYARGUMENTS"
                            },
                            {
                                "Name": "GenericRFI_QUERYARGUMENTS"
                            },
                            {
                                "Name": "NoUserAgent_HEADER"
                            },
                            {
                                "Name": "SizeRestrictions_QUERYSTRING"
                            }
                        ]
                    }
                },
                'overrideAction': {
                    'none': {}
                },
                'visibilityConfig': {
                    'sampledRequestsEnabled': True,
                    'cloudWatchMetricsEnabled': True,
                    'metricName': "AWS-AWSManagedRulesCommonRuleSet"
                }
            },
        ]
    )

LRutten

The Cfn- constructs are a one to one mapping to the cloudformation resources. You can simply check the docs for aws::wafv2::webacl.

For an example on how to exclude in cloudformation, see below. Note that object keys need to start with lowercase in order for CDK to process them.

{
    "name": "AWS-AWSBotControl-Example",
   "priority": 5, 
   "statement": {
    "managedRuleGroupStatement": {
        "vendorName": "AWS",
        "name": "AWSManagedRulesBotControlRuleSet",
        "excludedRules": [
            {
                "name": "CategoryVerifiedSearchEngine"
            },
            {
                "name": "CategoryVerifiedSocialMedia"
            }
        ]
    },
   "visibilityConfig": {
       "sampledRequestsEnabled": true,
       "cloudWatchMetricsEnabled": true,
       "metricName": "AWS-AWSBotControl-Example"
   }
}

This actually sets the two mentioned rules to Count mode. See https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rule-group-settings.html#web-acl-rule-group-rule-to-count. Note it sais:

Rules that you alter like this are described as being excluded rules in the rule group. If you have metrics enabled, you receive COUNT metrics for each excluded rule. This change alters how the rules in the rule group are evaluated.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-09-24

Comments

0 comments

TOP Ranking

Article

AWS WAF CDK Python How to change rule action

AWS WAF CDK Python How to change rule action

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

How to import an asset in swift using Bundle.main.path() in a react-native native module

Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

pump.io port in URL

Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

BigQuery - concatenate ignoring NULL

ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

Do Idle Snowflake Connections Use Cloud Services Credits?

maven-jaxb2-plugin cannot generate classes due to two declarations cause a collision in ObjectFactory class

Compiler error CS0246 (type or namespace not found) on using Ninject in ASP.NET vNext

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

Generate random UUIDv4 with Elm

Jquery different data trapped from direct mousedown event and simulation via $(this).trigger('mousedown');

Is it possible to Redo commits removed by GitHub Desktop's Undo on a Mac?

flutter: dropdown item programmatically unselect problem

Change dd-mm-yyyy date format of dataframe date column to yyyy-mm-dd

EXCEL: Find sum of values in one column with criteria from other column

Pandas - check if dataframe has negative value in any column

How to use merge windows unallocated space into Ubuntu using GParted?

Make a B+ Tree concurrent thread safe

ggplotly no applicable method for 'plotly_build' applied to an object of class "NULL" if statements