Skip to content

Instantly share code, notes, and snippets.

@TearTheSky

TearTheSky/aws_waf_launch_some_http_method_restriction.yaml

Last active December 7, 2018 11:50
Show Gist options
  • Save TearTheSky/95872b619802548813ab25b2022faad3 to your computer and use it in GitHub Desktop.
Save TearTheSky/95872b619802548813ab25b2022faad3 to your computer and use it in GitHub Desktop.
Download ZIP
aws_waf_launch_some_http_method_restriction.yaml
Raw
aws_waf_launch_some_http_method_restriction.yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
# このテンプレート実行時に実行者に入力させる内容の定義
Parameters:
yourApplicationeName:
Description: use your Application Name as WAF ACL and Rules name prefix.
Type: String
Default: sampleApplication
Resources:
# ------------------------------------------------------------
# HEAD HTTP METHOD Blocking Condition and Rule
# ------------------------------------------------------------
BlockHEADCondition:
Type: "AWS::WAF::ByteMatchSet"
Properties:
Name: !Join [ '-', [ !Ref yourApplicationeName , 'HTTP-HEAD-Method-inspection' ] ]
ByteMatchTuples:
-
FieldToMatch:
Type: "METHOD"
Data: "HEAD"
TargetString: "HEAD"
TextTransformation: "NONE"
PositionalConstraint: "CONTAINS"
BlockHEADRule:
Type: "AWS::WAF::Rule"
Properties:
MetricName: "BlockHEADRule"
Name: "BlockHEADRule"
Predicates:
-
DataId:
Ref: "BlockHEADCondition"
Negated: false
Type: "ByteMatch"
# ------------------------------------------------------------
# CONNECT HTTP METHOD Blocking Condition and Rule
# ------------------------------------------------------------
BlockCONNECTCondition:
Type: "AWS::WAF::ByteMatchSet"
Properties:
Name: !Join [ '-', [ !Ref yourApplicationeName , 'HTTP-CONNECT-Method-inspection' ] ]
ByteMatchTuples:
-
FieldToMatch:
Type: "METHOD"
Data: "CONNECT"
TargetString: "CONNECT"
TextTransformation: "NONE"
PositionalConstraint: "CONTAINS"
BlockCONNECTRule:
Type: "AWS::WAF::Rule"
Properties:
MetricName: "BlockCONNECTRule"
Name: "BlockCONNECTRule"
Predicates:
-
DataId:
Ref: "BlockCONNECTCondition"
Negated: false
Type: "ByteMatch"
# ------------------------------------------------------------
# TRACE HTTP METHOD Blocking Condition and Rule
# ------------------------------------------------------------
BlockTRACECondition:
Type: "AWS::WAF::ByteMatchSet"
Properties:
Name: !Join [ '-', [ !Ref yourApplicationeName , 'HTTP-TRACE-Method-inspection' ] ]
ByteMatchTuples:
-
FieldToMatch:
Type: "METHOD"
Data: "TRACE"
TargetString: "TRACE"
TextTransformation: "NONE"
PositionalConstraint: "CONTAINS"
BlockTRACERule:
Type: "AWS::WAF::Rule"
Properties:
MetricName: "BlockTRACERule"
Name: "BlockTRACERule"
Predicates:
-
DataId:
Ref: BlockTRACECondition
Negated: false
Type: "ByteMatch"
# --------------------------------------------------
# WebACL
# --------------------------------------------------
HTTPMethodsBlockingForCloudFormation:
Type: "AWS::WAF::WebACL"
Properties:
MetricName: !Join [ '', [ !Ref yourApplicationeName , 'BlockHTTPMethodACLforCloudFormation' ] ]
Name: !Join [ '', [ !Ref yourApplicationeName , 'BlockHTTPMethodACLforCloudFormation' ] ]
DefaultAction:
Type: "ALLOW"
Rules:
-
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "BlockHEADRule"
-
Action:
Type: "BLOCK"
Priority: 2
RuleId:
Ref: "BlockCONNECTRule"
-
Action:
Type: "BLOCK"
Priority: 3
RuleId:
Ref: "BlockTRACERule"
DependsOn:
- "BlockTRACERule"
- "BlockHEADRule"
- "BlockTRACERule"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment