Resource: awsNetworkfirewallRuleGroup
Provides an AWS Network Firewall Rule Group Resource
Example Usage
Stateful Inspection for denying access to a domain
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallRuleGroup.NetworkfirewallRuleGroup(this, "example", {
capacity: 100,
name: "example",
ruleGroup: {
rulesSource: {
rulesSourceList: {
generatedRulesType: "DENYLIST",
targetTypes: ["HTTP_HOST"],
targets: ["test.example.com"],
},
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
type: "STATEFUL",
});
Stateful Inspection for permitting packets from a source IP address
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const ips = ["1.1.1.1/32", "1.0.0.1/32"];
const awsNetworkfirewallRuleGroupExample =
new aws.networkfirewallRuleGroup.NetworkfirewallRuleGroup(this, "example", {
capacity: 50,
description: "Permits http traffic from source",
name: "example",
ruleGroup: {
rulesSource: {
stateful_rule: [],
},
},
tags: {
Name: "permit HTTP from source",
},
type: "STATEFUL",
});
/*In most cases loops should be handled in the programming language context and
not inside of the Terraform context. If you are looping over something external, e.g. a variable or a file input
you should consider using a for loop. If you are looping over something only known to Terraform, e.g. a result of a data source
you need to keep this like it is.*/
awsNetworkfirewallRuleGroupExample.addOverride(
"rule_group.0.rules_source.0.stateful_rule",
{
for_each: ips,
content: [
{
action: "PASS",
header: [
{
destination: "ANY",
destination_port: "ANY",
direction: "ANY",
protocol: "HTTP",
source: "${stateful_rule.value}",
source_port: "ANY",
},
],
rule_option: [
{
keyword: "sid",
settings: ["1"],
},
],
},
],
}
);
Stateful Inspection for blocking packets from going to an intended destination
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallRuleGroup.NetworkfirewallRuleGroup(this, "example", {
capacity: 100,
name: "example",
ruleGroup: {
rulesSource: {
statefulRule: [
{
action: "DROP",
header: {
destination: "124.1.1.24/32",
destinationPort: 53,
direction: "ANY",
protocol: "TCP",
source: "1.2.3.4/32",
sourcePort: 53,
},
ruleOption: [
{
keyword: "sid",
settings: ["1"],
},
],
},
],
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
type: "STATEFUL",
});
Stateful Inspection from rules specifications defined in Suricata flat format
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallRuleGroup.NetworkfirewallRuleGroup(this, "example", {
capacity: 100,
name: "example",
rules: '${file("example.rules")}',
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
type: "STATEFUL",
});
Stateful Inspection from rule group specifications using rule variables and Suricata format rules
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallRuleGroup.NetworkfirewallRuleGroup(this, "example", {
capacity: 100,
name: "example",
ruleGroup: {
ruleVariables: {
ipSets: [
{
ipSet: {
definition: ["10.0.0.0/16", "10.0.1.0/24", "192.168.0.0/16"],
},
key: "WEBSERVERS_HOSTS",
},
{
ipSet: {
definition: ["1.2.3.4/32"],
},
key: "EXTERNAL_HOST",
},
],
portSets: [
{
key: "HTTP_PORTS",
portSet: {
definition: ["443", "80"],
},
},
],
},
rulesSource: {
rulesString: '${file("suricata_rules_file")}',
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
type: "STATEFUL",
});
Stateless Inspection with a Custom Action
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallRuleGroup.NetworkfirewallRuleGroup(this, "example", {
capacity: 100,
description: "Stateless Rate Limiting Rule",
name: "example",
ruleGroup: {
rulesSource: {
statelessRulesAndCustomActions: {
customAction: [
{
actionDefinition: {
publishMetricAction: {
dimension: [
{
value: "2",
},
],
},
},
actionName: "ExampleMetricsAction",
},
],
statelessRule: [
{
priority: 1,
ruleDefinition: {
actions: ["aws:pass", "ExampleMetricsAction"],
matchAttributes: {
destination: [
{
addressDefinition: "124.1.1.5/32",
},
],
destinationPort: [
{
fromPort: 443,
toPort: 443,
},
],
protocols: [6],
source: [
{
addressDefinition: "1.2.3.4/32",
},
],
sourcePort: [
{
fromPort: 443,
toPort: 443,
},
],
tcpFlag: [
{
flags: ["SYN"],
masks: ["SYN", "ACK"],
},
],
},
},
},
],
},
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
type: "STATELESS",
});
IP Set References to the Rule Group
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallRuleGroup.NetworkfirewallRuleGroup(this, "example", {
capacity: 100,
name: "example",
ruleGroup: {
referenceSets: {
ipSetReferences: [
{
ipSetReference: [
{
referenceArn: "${aws_ec2_managed_prefix_list.this.arn}",
},
],
key: "example",
},
],
},
rulesSource: {
rulesSourceList: {
generatedRulesType: "DENYLIST",
targetTypes: ["HTTP_HOST"],
targets: ["test.example.com"],
},
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
type: "STATEFUL",
});
Argument Reference
The following arguments are supported:
-
capacity
- (Required, Forces new resource) The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules. -
description
- (Optional) A friendly description of the rule group. -
encryptionConfiguration
- (Optional) KMS encryption configuration settings. See Encryption Configuration below for details. -
name
- (Required, Forces new resource) A friendly name of the rule group. -
ruleGroup
- (Optional) A configuration block that defines the rule group rules. Required unlessrules
is specified. See Rule Group below for details. -
rules
- (Optional) The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unlessruleGroup
is specified. -
tags
- (Optional) A map of key:value pairs to associate with the resource. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. -
type
- (Required) Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:stateful
orstateless
.
Encryption Configuration
encryptionConfiguration
settings for customer managed KMS keys. Remove this block to use the default AWS-managed KMS encryption (rather than setting type
to AWS_OWNED_KMS_KEY
).
keyId
- (Optional) The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.type
- (Required) The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values areCUSTOMER_KMS
andAWS_OWNED_KMS_KEY
.
Rule Group
The ruleGroup
block supports the following argument:
-
referenceSets
- (Optional) A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. -
ruleVariables
- (Optional) A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details. -
rulesSource
- (Required) A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details. -
statefulRuleOptions
- (Optional) A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
Reference Sets
The referenceSets
block supports the following arguments:
ipSetReference
- (Optional) Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
Rule Variables
The ruleVariables
block supports the following arguments:
-
ipSets
- (Optional) Set of configuration blocks that define IP address information. See IP Sets below for details. -
portSets
- (Optional) Set of configuration blocks that define port range information. See Port Sets below for details.
IP Sets
The ipSets
block supports the following arguments:
-
key
- (Required) A unique alphanumeric string to identify theipSet
. -
ipSet
- (Required) A configuration block that defines a set of IP addresses. See IP Set below for details.
IP Set
The ipSet
configuration block supports the following argument:
definition
- (Required) Set of IP addresses and address ranges, in CIDR notation.
IP Set Reference
The ipSetReference
configuration block supports the following argument:
-
key
- (Required) A unique alphanumeric string to identify theipSet
. -
referenceArn
- (Required) Set of Managed Prefix IP ARN(s)
Port Sets
The portSets
block supports the following arguments:
-
key
- (Required) An unique alphanumeric string to identify theportSet
. -
portSet
- (Required) A configuration block that defines a set of port ranges. See Port Set below for details.
Port Set
The portSet
configuration block suppports the following argument:
definition
- (Required) Set of port ranges.
Rules Source
The rulesSource
block supports the following arguments:
\~> NOTE: Only one of rulesSourceList
, rulesString
, statefulRule
, or statelessRulesAndCustomActions
must be specified.
-
rulesSourceList
- (Optional) A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details. -
rulesString
- (Optional) The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria. -
statefulRule
- (Optional) Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details. -
statelessRulesAndCustomActions
- (Optional) A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
Stateful Rule Options
The statefulRuleOptions
block supports the following argument:
\~> NOTE: If the STRICT_ORDER
rule order is specified, this rule group can only be referenced in firewall policies that also utilize STRICT_ORDER
for the stateful engine. STRICT_ORDER
can only be specified when using a rulesSource
of rulesString
or statefulRule
.
ruleOrder
- (Required) Indicates how to manage the order of the rule evaluation for the rule group. Default value:DEFAULT_ACTION_ORDER
. Valid values:DEFAULT_ACTION_ORDER
,STRICT_ORDER
.
Rules Source List
The rulesSourceList
block supports the following arguments:
-
generatedRulesType
- (Required) String value to specify whether domains in the target list are allowed or denied access. Valid values:allowlist
,denylist
. -
targetTypes
- (Required) Set of types of domain specifications that are provided in thetargets
argument. Valid values:HTTP_HOST
,TLS_SNI
. -
targets
- (Required) Set of domains that you want to inspect for in your traffic flows.
Stateful Rule
The statefulRule
block supports the following arguments:
-
action
- (Required) Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:alert
,drop
orpass
. -
header
- (Required) A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details. -
ruleOption
- (Required) Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
Stateless Rules and Custom Actions
The statelessRulesAndCustomActions
block supports the following arguments:
-
customAction
- (Optional) Set of configuration blocks containing custom action definitions that are available for use by the set ofstatelessRule
. See Custom Action below for details. -
statelessRule
- (Required) Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
Header
The header
block supports the following arguments:
-
destination
- (Required) The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specifyany
. -
destinationPort
- (Required) The destination port to inspect for. To match with any address, specifyany
. -
direction
- (Required) The direction of traffic flow to inspect. Valid values:any
orforward
. -
protocol
- (Required) The protocol to inspect. Valid values:ip
,tcp
,udp
,icmp
,http
,ftp
,tls
,smb
,dns
,dcerpc
,ssh
,smtp
,imap
,msn
,krb5
,ikev2
,tftp
,ntp
,dhcp
. -
source
- (Required) The source IP address or address range for, in CIDR notation. To match with any address, specifyany
. -
sourcePort
- (Required) The source port to inspect for. To match with any address, specifyany
.
Rule Option
The ruleOption
block supports the following arguments:
keyword
- (Required) Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.settings
- (Optional) Set of strings for additional settings to use in stateful rule inspection.
Custom Action
The customAction
block supports the following arguments:
-
actionDefinition
- (Required) A configuration block describing the custom action associated with theactionName
. See Action Definition below for details. -
actionName
- (Required, Forces new resource) A friendly name of the custom action.
Stateless Rule
The statelessRule
block supports the following arguments:
-
priority
- (Required) A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting. -
ruleDefinition
- (Required) A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
Rule Definition
The ruleDefinition
block supports the following arguments:
-
actions
- (Required) Set of actions to take on a packet that matches one of the stateless rule definition'smatchAttributes
. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass
,aws:drop
,aws:forwardToSfe
. -
matchAttributes
- (Required) A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
Match Attributes
The matchAttributes
block supports the following arguments:
-
destination
- (Optional) Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details. -
destinationPort
- (Optional) Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details. -
protocols
- (Optional) Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol. -
source
- (Optional) Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details. -
sourcePort
- (Optional) Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details. -
tcpFlag
- (Optional) Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
Action Definition
The actionDefinition
block supports the following argument:
publishMetricAction
- (Required) A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
Publish Metric Action
The publishMetricAction
block supports the following argument:
dimension
- (Required) Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
Dimension
The dimension
block supports the following argument:
value
- (Required) The value to use in the custom metric dimension.
Destination
The destination
block supports the following argument:
addressDefinition
- (Required) An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
Destination Port
The destinationPort
block supports the following arguments:
-
fromPort
- (Required) The lower limit of the port range. This must be less than or equal to thetoPort
. -
toPort
- (Optional) The upper limit of the port range. This must be greater than or equal to thefromPort
.
Source
The source
block supports the following argument:
addressDefinition
- (Required) An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
Source Port
The sourcePort
block supports the following arguments:
-
fromPort
- (Required) The lower limit of the port range. This must be less than or equal to thetoPort
. -
toPort
- (Optional) The upper limit of the port range. This must be greater than or equal to thefromPort
.
TCP Flag
The tcpFlag
block supports the following arguments:
-
flags
- (Required) Set of flags to look for in a packet. This setting can only specify values that are also specified inmasks
. Valid values:fin
,syn
,rst
,psh
,ack
,urg
,ece
,cwr
. -
masks
- (Optional) Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values:fin
,syn
,rst
,psh
,ack
,urg
,ece
,cwr
.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
-
id
- The Amazon Resource Name (ARN) that identifies the rule group. -
arn
- The Amazon Resource Name (ARN) that identifies the rule group. -
tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block. -
updateToken
- A string token used when updating the rule group.
Import
Network Firewall Rule Groups can be imported using their arn
.