时间戳

首页 > 解决方案 > AWS WAF CDK Python 如何更改规则操作

python - AWS WAF CDK Python 如何更改规则操作

问题描述

这是我的 python cdk 代码,它创建了 2 个规则“ AWS-AWSManagedRulesCommonRuleSet ”和“ AWS-AWS-ManagedRulesAmazonIpReputationList ”。在每条规则中都有子规则,我可以将它们的规则操作更改为计数,问题是如何将其添加到我的代码中,我没有为这些子规则找到任何好的解释。

添加了一些更改但仍然不起作用,我收到此错误:

Resource handler returned message: "Error reason: You have used none or multiple values for a field that requires exactly one value., field: RULE, parameter: Rule (Service: Wafv2, Status Code: 400, Request ID: 248d9235-bd01-49f4-963b-109bac2776c5, Extended Request ID: null)" (RequestToken: 8bb5****-****-3e95-****- 
8e336ae3eed4, HandlerErrorCode: InvalidRequest)

编码:

class PyCdkStack(core.Stack):

def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None:
    super().__init__(scope, construct_id, **kwargs)

    web_acl = wafv2.CfnWebACL(
        scope_=self, id='WebAcl',
        default_action=wafv2.CfnWebACL.DefaultActionProperty(allow={}),
        scope='REGIONAL',
        visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
            cloud_watch_metrics_enabled=True,
            sampled_requests_enabled=True,
            metric_name='testwafmetric',
        ),
        name='Test-Test-WebACL',
        rules=[
            {
                'name': 'AWS-AWSManagedRulesCommonRuleSet',
                'priority': 1,
                'statement': {
                    'RuleGroupReferenceStatement': {
                        'vendorName': 'AWS',
                        'name': 'AWSManagedRulesCommonRuleSet',
                        'ARN': 'string',
                        "ExcludedRules": [
                            {
                                "Name": "CrossSiteScripting_QUERYARGUMENTS"
                            },
                            {
                                "Name": "GenericLFI_QUERYARGUMENTS"
                            },
                            {
                                "Name": "GenericRFI_QUERYARGUMENTS"
                            },
                            {
                                "Name": "NoUserAgent_HEADER"
                            },
                            {
                                "Name": "SizeRestrictions_QUERYSTRING"
                            }
                        ]
                    }
                },
                'overrideAction': {
                    'none': {}
                },
                'visibilityConfig': {
                    'sampledRequestsEnabled': True,
                    'cloudWatchMetricsEnabled': True,
                    'metricName': "AWS-AWSManagedRulesCommonRuleSet"
                }
            },
        ]
    )

标签: pythonamazon-web-servicesaws-cdkweb-application-firewall

解决方案

- 构造是到 cloudformation 资源的Cfn一对一映射。您可以简单地检查文档以获取aws::wafv2::webacl.

有关如何在 cloudformation 中排除的示例,请参见下文。请注意,对象键需要以小写字母开头,以便 CDK 处理它们。

{
    "name": "AWS-AWSBotControl-Example",
   "priority": 5, 
   "statement": {
    "managedRuleGroupStatement": {
        "vendorName": "AWS",
        "name": "AWSManagedRulesBotControlRuleSet",
        "excludedRules": [
            {
                "name": "CategoryVerifiedSearchEngine"
            },
            {
                "name": "CategoryVerifiedSocialMedia"
            }
        ]
    },
   "visibilityConfig": {
       "sampledRequestsEnabled": true,
       "cloudWatchMetricsEnabled": true,
       "metricName": "AWS-AWSBotControl-Example"
   }
}

这实际上将提到的两个规则设置为计数模式。请参阅https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rule-group-settings.html#web-acl-rule-group-rule-to-count。注意它说:

您像这样更改的规则被描述为规则组中的排除规则。如果您启用了指标,您会收到每个排除规则的 COUNT 个指标。此更改会更改规则组中规则的评估方式。

推荐阅读