NetworkConfig / CentralNetworkServicesConfig / NfwConfig / NfwRuleGroupConfig

Network Firewall rule group configuration. Use this configuration to define stateful and stateless rule groups for Network Firewall. An AWS Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic. You add one or more rule groups to a firewall policy as part of policy configuration.

See

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-rulegroup.html

Example

Stateful rule group:

- name: accelerator-stateful-group
regions:
- us-east-1
capacity: 100
type: STATEFUL
ruleGroup:
rulesSource:
rulesFile: path/to/rules.txt
shareTargets:
organizationalUnits:
- Root
tags: []

Stateless rule group:

- name: accelerator-stateless-group
regions:
- us-east-1
capacity: 100
type: STATELESS
ruleGroup:
rulesSource:
statelessRulesAndCustomActions:
statelessRules:
- priority: 100
ruleDefinition:
actions: ['aws:pass']
matchAttributes:
sources:
- 10.1.0.0/16
sourcePorts:
- fromPort: 1024
toPort: 65535
destinations:
- 10.0.0.0/16
destinationPorts:
- fromPort: 22
toPort: 22
shareTargets:
organizationalUnits:
- Root
tags: []

Hierarchy

  • NfwRuleGroupConfig

Implements

Constructors

Properties

capacity: number = 123

The capacity of the rule group.

description: undefined | string = undefined

(OPTIONAL) A description for the rule group.

name: string = ''

A friendly name for the rule group.

Remarks

CAUTION: Changing this property value after initial deployment causes the rule group to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

regions: string[] = []

The regions to deploy the rule group to.

See

Region

ruleGroup: undefined | NfwRuleGroupRuleConfig = undefined

(OPTIONAL) A Network Firewall rule configuration.

See

NfwRuleGroupRuleConfig

shareTargets: undefined | ShareTargets = undefined

(OPTIONAL) Resource Access Manager (RAM) share targets.

Remarks

Targets can be account names and/or organizational units. Targets must be configured for account(s)/OU(s) that require access to the rule group. A target is not required for the delegated admin account.

See

ShareTargets

tags: undefined | Tag[] = undefined

(OPTIONAL) An array of tags for the rule group.

type: "STATELESS" | "STATEFUL" = 'STATEFUL'

The type of rules in the rule group.

Generated using TypeDoc