Skip to content

waf

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

waf

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
src/main/java/software/amazon/awscdk/examples
src/main/java/software/amazon/awscdk/examples
 
 
README.md
README.md
 
 
cdk.json
cdk.json
 
 
pom.xml
pom.xml
 
 

README.md

WAF - Web Application Firewall

Stability: Experimental

This is an experimental example. It may not build out of the box

This example is built on Construct Libraries marked "Experimental" and may not be updated for latest breaking changes.

If build is unsuccessful, please create an issue so that we may debug the problem

  • Creates a WAF for use with CloudFront and a WAF for use with Load Balancers.
  • Both WAF stacks are virtually identical:
    • WAFRegionalStack.java
    • WAFCloudfrontStack.java
  • Each stack is customized for the target usage scenario.

Build

To build this example, you need to be in this example's root directory. Then run the following:

npm install -g aws-cdk
cdk synth
  • This will install the necessary CDK, then this example's dependencies, and then build the CloudFormation template. The resulting CloudFormation template will be in the cdk.out directory.
  • If you want to see the yaml formatted CDK for a Stack, pass it as a name to the cdk synth command:
cdk synth WafCloudFrontStack
cdk synth WafRegionalStack

Deploy

Run cdk deploy. This will deploy / redeploy your Stack to your AWS Account.

After the deployment, you will be able to assign the WAF to the CloudFront or Load Balancer resources.

WAF Rules

  • The WAF leverages the AWS Managed rules for most of the enabled rule list.
  • The list of available ruls can be quickly found using the AWS CLI:
aws wafv2 list-available-managed-rule-groups --scope CLOUDFRONT
aws wafv2 list-available-managed-rule-groups --scope REGIONAL

Restrict connections based on country code

  • The example code includes a rule based on the geographic region of the source IP.
  • If the IP is outside the list of country codes, then the IP will be blocked.

Restrict connections based on flow

  • The example code includes a rule that will restrict connections based on flow rate.
  • In the included example, if the connection count is higher than 100 in a 5 minute period, the connection will be blocked.

Using the WAF in other stacks and assigning to resources

  • Each WAF stack produces a CloudFormation Export.
  • The CloudFormation Export records the WAF ARN for use with other stacks:
  • The exports are named:
    • WafCloudFrontStack:WafAclCloudFrontArn
    • WafRegionalStack:WafAclRegionalArn

Useful commands

  • mvn package compile and run tests
  • cdk ls list all stacks in the app
  • cdk synth emits the synthesized CloudFormation template
  • cdk deploy deploy this stack to your default AWS account/region
  • cdk diff compare deployed stack with current state
  • cdk docs open CDK documentation