A collection of AWS Security controls for AWS WAF and AWS Shield. Configuration items include templates to set up AWS Managed Rules for AWS WAF Rules in an AWS account to protect CloudFront, API Gateway and ALB resources. Rules include general vulnerability and OWASP protections, known bad IP lists, specific use-cases such as WordPress or SQL database protections, and more

Firewall Manager
AWS Firewall Manager Notification Channel

Creates a notification channel for Firewall Manager to send alerts and notifications to a specified email address.

CloudFormation
AWS Firewall Manager AWS WAF policy

This template creates a Firewall Manager AWS WAF policy. The policy is used for the latest version of AWS WAF and includes pre-process rule groups, post-process rule groups, and a default action of BLOCK.

CloudFormation
Firewall Manager AWS WAF Classic policy

This template creates a Firewall Manager AWS WAF Classic policy. The policy includes a default action of BLOCK and a rule group with an override action of NONE.

CloudFormation
AWS Firewall Manager Shield Advanced policy

This template creates an AWS Firewall Manager policy that applies to specified resource types and includes resource tags and account ID. The policy is named TaggedPolicy and is configured to exclude resource tags, include specified resource types, and apply a security service policy for Shield Advanced.

CloudFormation
AWS Firewall Manager common security group policy

This template creates a Firewall Manager common security group policy. The policy includes a revert manual security group changes option and a security group ID.

CloudFormation
Firewall Manager content audit security group policy

This template creates a Firewall Manager content audit security group policy. The policy includes a security group action of ALLOW and a security group ID.

CloudFormation
Firewall Manager usage audit security group policy

This template creates a Firewall Manager usage audit security group policy. The policy includes options for deleting unused security groups and coalescing redundant security groups.

CloudFormation
AWS Firewall Manager Network Firewall policy

This template creates a Firewall Manager Network Firewall policy. The policy includes stateless and stateful rule group references, default actions, custom actions, and orchestration configuration.

CloudFormation
AWS Firewall Manager DNS Firewall policy

This template creates a Firewall Manager DNS Firewall policy. The policy includes pre-process and post-process rule groups with priorities.

CloudFormation
Config Rule
WAF Enabled on ALB Check

A Config rule that checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). This rule is NON_COMPLIANT if key: waf.enabled is set to false.

CloudFormationTerraformAWS CLI
WAF Logging Enabled Check

A Config rule that checks whether logging is enabled on AWS Web Application Firewall (WAFV2) regional and global web access control list (ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter.

CloudFormationTerraformAWS CLI
WAF Classic Logging Enabled Check

A Config rule that checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.

CloudFormationTerraformAWS CLI
fms-webacl-resource-policy-check

A config rule that checks whether the web ACL is associated with an Application Load Balancer or Amazon CloudFront distributions. When AWS Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId in the FMS policy and can optionally enable remediation.

CloudFormationTerraformAWS CLI
fms-webacl-rulegroup-association-check

A config rule that checks that the rule groups associate with the web ACL at the correct priority. The correct priority is decided by the rank of the rule groups in the ruleGroups parameter. When AWS Firewall Manager creates this rule, it assigns the highest priority 0 followed by 1, 2, and so on. The FMS policy owner specifies the ruleGroups rank in the FMS policy and can optionally enable remediation.

CloudFormationTerraformAWS CLI
AWS Shield Protection Enabled Check

A Config rule that checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection. This rule also checks if they have web ACL associated for Application Load Balancer and Amazon CloudFront distributions.

CloudFormationTerraformAWS CLI
AWS Shield Advanced Enabled with Auto-Renew Check

A Config rule that checks whether AWS Shield Advanced is enabled in your AWS account and this subscription is set to automatically renew.

CloudFormationTerraformAWS CLI
Shield DRT Access Enabled

A config rule that checks that that DDoS response team (DRT) can access AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for DRT access is not configured.

CloudFormationTerraformAWS CLI
Check if WAFv2 Rule Groups contain rules

Checks if WAFv2 Rule Groups contain rules. The rule is NON_COMPLIANT if there are no rules in a WAFv2 Rule Group.

CloudFormation
Check if WAFv2 Web ACL contains any rules or rule groups

Checks if a WAFv2 Web ACL contains any WAF rules or WAF rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rules or WAF rule groups.

CloudFormation
Check if AWS WAF Classic rule group contains any rules

Checks if an AWS WAF Classic rule group contains any rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.

CloudFormation
Check if WAF global rule contains conditions

Checks if an AWS WAF global rule contains any conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.

CloudFormation
Check if WAF Global Web ACL contains any rules or rule groups

Checks whether a WAF Global Web ACL contains any WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.

CloudFormation
Check if WAF Regional rule groups contain any rules

Checks if WAF Regional rule groups contain any rules. The rule is NON_COMPLIANT if there are no rules present within a WAF Regional rule group.

CloudFormation
Check if WAF regional rule contains conditions

Checks whether WAF regional rule contains conditions. This rule is COMPLIANT if the regional rule contains at least one condition and NON_COMPLIANT otherwise.

CloudFormation
Check if WAF regional Web ACL contains any rules or rule groups

Checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is NON_COMPLIANT if there are no WAF rules or rule groups present within a Web ACL.

CloudFormation