OpenMCF logoOpenMCF

Loading...

AWS WAF Web ACL

Deploys an AWS WAFv2 Web Access Control List with ordered rules for managed rule groups, rate limiting, geographic filtering, and IP-based access control. Includes optional request logging with field redaction. Rules are evaluated by priority; the first match takes action.

What Gets Created

When you deploy an AwsWafWebAcl resource, OpenMCF provisions:

  • WAFv2 Web ACL — an aws_wafv2_web_acl resource with the specified scope (REGIONAL or CLOUDFRONT), default action, visibility config, and rules passed via rule_json
  • Rules — an ordered set of rules constructed from managed rule group references, rate-based limits, geographic match conditions, IP set references, and custom statement escape hatches
  • Custom Response Bodies — reusable response templates referenced by block actions
  • Logging Configuration — an aws_wafv2_web_acl_logging_configuration resource created only when logging is provided, with destination ARN and optional field redaction

Prerequisites

  • AWS credentials configured via environment variables or OpenMCF provider config
  • Appropriate IAM permissions for wafv2:* operations
  • us-east-1 provider region if using CLOUDFRONT scope
  • WAFv2 IP Sets created separately if using ipSetReference rules
  • A logging destination named starting with aws-waf-logs- if enabling logging (CloudWatch Logs log group, S3 bucket, or Kinesis Firehose delivery stream)

Quick Start

Create a file waf.yaml:

apiVersion: aws.openmcf.org/v1
kind: AwsWafWebAcl
metadata:
  name: my-web-acl
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.AwsWafWebAcl.my-web-acl
spec:
  region: us-east-1
  scope: REGIONAL
  defaultAction:
    type: allow
  rules:
    - name: aws-common-rules
      priority: 1
      overrideAction: none
      managedRuleGroup:
        name: AWSManagedRulesCommonRuleSet
        vendorName: AWS

Deploy:

openmcf apply -f waf.yaml

This creates a REGIONAL Web ACL that allows all traffic by default and blocks known threats via the AWS Common Rule Set.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
regionstringThe AWS region where the Web ACL will be created. Use us-east-1 for CLOUDFRONT scope.Required
scopestringWhere the Web ACL can be used: REGIONAL or CLOUDFRONTMust be one of the two valid values
defaultAction.typestringBaseline action when no rule matches: allow or blockMust be allow or block

Optional Fields

FieldTypeDefaultDescription
descriptionstring—Human-readable description. Max 256 characters.
rulesobject[][]Ordered rule set evaluated by priority.
visibilityConfig.cloudwatchMetricsEnabledbooltrueEnable CloudWatch metrics for the Web ACL.
visibilityConfig.sampledRequestsEnabledbooltrueEnable request sampling.
visibilityConfig.metricNamestringresource nameCloudWatch metric name.
customResponseBodiesobject[][]Reusable response body templates referenced by block actions.
tokenDomainsstring[][]Domains for CAPTCHA/Challenge token validation.
logging.destinationArnstring—ARN of CloudWatch Logs, S3, or Firehose destination. Supports valueFrom.
logging.redactedHeaderNamesstring[][]HTTP headers to redact from logs.
logging.redactUriPathboolfalseRedact URI path from logs.
logging.redactQueryStringboolfalseRedact query string from logs.

Rule Fields

FieldTypeDescription
namestringUnique rule name (1-128 characters).
priorityintEvaluation order (lower numbers first).
actionstringFor custom rules: allow, block, count, captcha, or challenge.
overrideActionstringFor managed rule groups: count or none.
managedRuleGroup.namestringManaged rule group name (e.g., AWSManagedRulesCommonRuleSet).
managedRuleGroup.vendorNamestringVendor name (e.g., AWS).
managedRuleGroup.versionstringPin to a specific version.
managedRuleGroup.ruleActionOverridesobject[]Override actions for specific rules within the group.
managedRuleGroup.scopeDownStatementobjectStruct narrowing which requests the group evaluates.
rateBased.limitintMax requests per evaluation window (10–2,000,000,000).
rateBased.evaluationWindowSecintWindow in seconds: 60, 120, 300, or 600.
rateBased.aggregateKeyTypestringIP, FORWARDED_IP, CONSTANT, or CUSTOM_KEYS.
geoMatch.countryCodesstring[]ISO 3166-1 alpha-2 country codes.
ipSetReference.arnstringARN of a WAFv2 IP Set.
customStatementobjectRaw AWS WAFv2 JSON statement (escape hatch).

Examples

Managed Rules with Rate Limiting

apiVersion: aws.openmcf.org/v1
kind: AwsWafWebAcl
metadata:
  name: api-protection
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.AwsWafWebAcl.api-protection
spec:
  region: us-east-1
  scope: REGIONAL
  defaultAction:
    type: allow
  rules:
    - name: rate-limit
      priority: 1
      action: block
      rateBased:
        limit: 2000
    - name: aws-common-rules
      priority: 10
      overrideAction: none
      managedRuleGroup:
        name: AWSManagedRulesCommonRuleSet
        vendorName: AWS
    - name: aws-sqli-rules
      priority: 20
      overrideAction: none
      managedRuleGroup:
        name: AWSManagedRulesSQLiRuleSet
        vendorName: AWS

Geographic Blocking with Custom Error Response

apiVersion: aws.openmcf.org/v1
kind: AwsWafWebAcl
metadata:
  name: geo-restricted
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.AwsWafWebAcl.geo-restricted
spec:
  region: us-east-1
  scope: REGIONAL
  defaultAction:
    type: allow
  rules:
    - name: block-embargoed
      priority: 1
      action: block
      geoMatch:
        countryCodes: [RU, CN, KP, IR]
      customResponse:
        responseCode: 403
        customResponseBodyKey: geo-blocked
  customResponseBodies:
    - key: geo-blocked
      content: '{"error":"geo_restricted","message":"Service not available in your region"}'
      contentType: APPLICATION_JSON

Production Web ACL with Logging

apiVersion: aws.openmcf.org/v1
kind: AwsWafWebAcl
metadata:
  name: prod-waf
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.AwsWafWebAcl.prod-waf
spec:
  region: us-east-1
  scope: REGIONAL
  description: Production Web ACL
  defaultAction:
    type: allow
  rules:
    - name: rate-limit
      priority: 1
      action: block
      rateBased:
        limit: 3000
    - name: aws-ip-reputation
      priority: 10
      overrideAction: none
      managedRuleGroup:
        name: AWSManagedRulesAmazonIpReputationList
        vendorName: AWS
    - name: aws-common-rules
      priority: 20
      overrideAction: none
      managedRuleGroup:
        name: AWSManagedRulesCommonRuleSet
        vendorName: AWS
    - name: aws-sqli-rules
      priority: 30
      overrideAction: none
      managedRuleGroup:
        name: AWSManagedRulesSQLiRuleSet
        vendorName: AWS
  logging:
    destinationArn:
      value: arn:aws:logs:us-east-1:123456789012:log-group:aws-waf-logs-prod
    redactedHeaderNames:
      - authorization
      - cookie
    redactQueryString: true

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
web_acl_arnstringARN of the Web ACL, used to associate with ALB, API Gateway, CloudFront, and other protected resources
web_acl_idstringUnique identifier of the Web ACL
web_acl_namestringName of the Web ACL
capacityintWeb ACL Capacity Units consumed (maximum 5,000 per Web ACL)

Related Components

  • AwsAlb — commonly protected by a WAF Web ACL via association
  • AwsHttpApiGateway — protectable via WAF association
  • AwsCloudFront — protected by CLOUDFRONT-scoped Web ACLs
  • AwsCognitoUserPool — protectable via WAF association

Next article

AZURE

AZURE The following AZURE resources can be deployed using OpenMCF: AKS Cluster AKS Node Pool Application Gateway Application Insights Container App Container App Environment Container Registry Cosmos DB Account DNS Record DNS Zone Event Hub Namespace Front Door Profile Function App Key Vault Linux Web App Load Balancer Log Analytics Workspace MSSQL Server MySQL Flexible Server NAT Gateway Network Security Group PostgreSQL Flexible Server Private DNS Zone Private Endpoint Public IP Redis Cache...
Read next article
Presets
3 ready-to-deploy configurationsView presets →