aws-security-reference-architecture-examples icon indicating copy to clipboard operation
aws-security-reference-architecture-examples copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

[FEATURE] Parameterise whether Windows/Linux/Posix Web ACL rulesets should be deployed to Firewall Manager

Open julian-price opened this issue 5 months ago • 0 comments

Is your feature request related to a problem? Please describe

We have an AWS Organization running a set of serverless workloads. Workloads use APIGateways which are fronted by CloudFront. In order to protect workloads, we enable AWS-managed Web ACL rulesets, which are deployed via the firewall-manager-org SRA solution. Those rulesets are enabled on APIGateways and CloudFront.

The firewall-manager-org SRA solution deploys other rulesets for Windows/Linux/Posix which we do not use. At a cost of $5 per ruleset, per month this greatly increases the cost of the out-of-the-box solution, when we do not use the functionality.

Describe the solution you'd like

In order to reduce costs and make management simpler, I would like to suggest having 3 new parameters that when set to false would drive conditions that prevented the deployment of the Windows/Linux/Posix rulesets.

These parameters would be passed through to the sra-firewall-manager-org-waf-policy.yaml stackset creation from the sra-firewall-manager-org-main-ssm.yaml stack.

  pEnableWindowsPolicy:
    Type: String
    Default: 'true'
    AllowedValues: ['true', 'false']
    Description: Set to true to enable the Windows WAF policy
  pEnableLinuxPolicy:
    Type: String
    Default: 'true'
    AllowedValues: ['true', 'false']
    Description: Set to true to enable the Linux WAF policy
  pEnablePosixPolicy:
    Type: String
    Default: 'true'
    AllowedValues: ['true', 'false']
    Description: Set to true to enable the Posix WAF policy

Conditions:
  cCreateCFRuleGroup: !Equals [!Ref 'AWS::Region', 'us-east-1']
  cCreateWindowsPolicy: !Equals [!Ref pEnableWindowsPolicy, 'true']
  cCreateLinuxPolicy: !Equals [!Ref pEnableLinuxPolicy, 'true']
  cCreatePosixPolicy: !Equals [!Ref pEnablePosixPolicy, 'true']

Resources:
  ...

  rFmsRegionalWafWindowsPolicy:
    Type: AWS::FMS::Policy
    Condition: cCreateWindowsPolicy
  ...

Describe alternatives you've considered

There are not really alternatives to preventing the deployment of these rulesets. It would be possible to manually delete them after deployment, but in my case, the CfCT would later kick in and redeploy them if it found the stack had drifted.

Additional context

Deployed via the CfCT v2.8.1

julian-price avatar May 30 '25 01:05 julian-price