AWS::NetworkFirewall::FirewallPolicy
Use the AWS::NetworkFirewall::FirewallPolicy to define the stateless and stateful network traffic filtering behavior for your AWS::NetworkFirewall::Firewall. You can use one firewall policy for multiple firewalls.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::NetworkFirewall::FirewallPolicy", "Properties" : { "Description" :String, "FirewallPolicy" :FirewallPolicy, "FirewallPolicyName" :String, "Tags" :[ Tag, ... ]} }
YAML
Type: AWS::NetworkFirewall::FirewallPolicy Properties: Description:StringFirewallPolicy:FirewallPolicyFirewallPolicyName:StringTags:- Tag
Properties
Description-
A description of the firewall policy.
Required: No
Type: String
Maximum:
512Pattern:
^.*$Update requires: No interruption
FirewallPolicy-
The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
Required: Yes
Type: FirewallPolicy
Update requires: No interruption
FirewallPolicyName-
The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
Required: Yes
Type: String
Minimum:
1Maximum:
128Pattern:
^[a-zA-Z0-9-]+$Update requires: Replacement
Tags-
An array of key-value pairs to apply to this resource.
For more information, see Tag.
Required: No
Type: List of Tag
Maximum:
200Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the Amazon Resource Name (ARN) of the firewall policy. For example:
{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall-policy/myFirewallPolicyName" }
For more information about using the Reffunction, see Ref.
Fn::GetAtt
The Fn::GetAttintrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAttintrinsic function, see Fn::GetAtt.
FirewallPolicyArn-
The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::FirewallPolicy.
FirewallPolicyId-
The unique ID of the AWS::NetworkFirewall::FirewallPolicy resource.
Examples
Create a firewall policy
The following shows example firewall policy specifications.
JSON
"SampleFirewallPolicy": { "Type": "AWS::NetworkFirewall::FirewallPolicy", "Properties": { "FirewallPolicyName": "SampleFirewallPolicyName", "FirewallPolicy": { "StatelessDefaultActions": [ "aws:pass" ], "StatelessFragmentDefaultActions": [ "aws:drop" ], "StatefulRuleGroupReferences": [ { "ResourceArn": { "Ref": "SampleStatefulRuleGroup" } } ], "StatelessRuleGroupReferences": [ { "ResourceArn": { "Ref": "SampleStatelessRuleGroup" }, "Priority": 100 } ] }, "Description": "FirewallPolicy description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }
YAML
SampleFirewallPolicy: Type: 'AWS::NetworkFirewall::FirewallPolicy' Properties: FirewallPolicyName: SampleFirewallPolicyName FirewallPolicy: StatelessDefaultActions: - 'aws:pass' StatelessFragmentDefaultActions: - 'aws:drop' StatefulRuleGroupReferences: - ResourceArn: !Ref SampleStatefulRuleGroup1 StatelessRuleGroupReferences: - ResourceArn: !Ref SampleStatelessRuleGroup Priority: 100 Description: FirewallPolicy description goes here Tags: - Key: Foo Value: Bar