AWS::NetworkFirewall::FirewallPolicy - AWS CloudFormation (original) (raw)
Use the AWS::NetworkFirewall::FirewallPolicy to define the stateless and stateful network traffic filtering behavior for your AWS::NetworkFirewall::Firewall. You can use one firewall policy for multiple firewalls.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"Type" : "AWS::NetworkFirewall::FirewallPolicy",
"Properties" : {
"Description" : String,
"FirewallPolicy" : FirewallPolicy,
"FirewallPolicyName" : String,
"Tags" : [ Tag, ... ]
}
}
Properties
Description
A description of the firewall policy.
Required: No
Type: String
Pattern: ^.*$
Minimum: 1
Maximum: 512
Update requires: No interruption
FirewallPolicy
The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
Required: Yes
Type: FirewallPolicy
Update requires: No interruption
FirewallPolicyName
The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
Required: Yes
Type: String
Pattern: ^[a-zA-Z0-9-]+$
Minimum: 1
Maximum: 128
Update requires: Replacement
Tags
An array of key-value pairs to apply to this resource.
For more information, see Tag.
Required: No
Type: Array of Tag
Minimum: 1
Maximum: 200
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall policy. For example:
{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall-policy/myFirewallPolicyName" }
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Examples
Create a firewall policy
The following shows example firewall policy specifications.
JSON
"SampleFirewallPolicy": {
"Type": "AWS::NetworkFirewall::FirewallPolicy",
"Properties": {
"FirewallPolicyName": "SampleFirewallPolicyName",
"FirewallPolicy": {
"StatelessDefaultActions": [
"aws:pass"
],
"StatelessFragmentDefaultActions": [
"aws:drop"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": {
"Ref": "SampleStatefulRuleGroup"
}
}
],
"StatelessRuleGroupReferences": [
{
"ResourceArn": {
"Ref": "SampleStatelessRuleGroup"
},
"Priority": 100
}
]
},
"Description": "FirewallPolicy description goes here",
"Tags": [
{
"Key": "Foo",
"Value": "Bar"
}
]
}
} YAML
SampleFirewallPolicy:
Type: 'AWS::NetworkFirewall::FirewallPolicy'
Properties:
FirewallPolicyName: SampleFirewallPolicyName
FirewallPolicy:
StatelessDefaultActions:
- 'aws:pass'
StatelessFragmentDefaultActions:
- 'aws:drop'
StatefulRuleGroupReferences:
- ResourceArn: !Ref SampleStatefulRuleGroup1
StatelessRuleGroupReferences:
- ResourceArn: !Ref SampleStatelessRuleGroup
Priority: 100
Description: FirewallPolicy description goes here
Tags:
- Key: Foo
Value: Bar