Interface WafConfig

Defines whether to set up a dashboard for your firewall in the central security account. To use this feature, cross-account functionality must be enabled in CloudWatch.

Define KMS Key to be used for Kinesis Firehose.

Defines the selected logging option for the WAF.

Defines a Prefix which will be added to all resources.

Define Name of the S3 Bucket where the Firewall logs will be stored.

Defines the domain(s) that can be checked to audit your WAF.

Defines a Stage which will be added to all resources.

Defines Description of your web application firewall.

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.

Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

This is used for the policy's ExcludeMap.

You can specify account IDs, OUs, or a combination:

• Specify account IDs by setting the key to ACCOUNT . For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”]} .
• Specify OUs by setting the key to ORGUNIT . For example, the following is a valid map: {“ORGUNIT” : [“ouid111”, “ouid112”]} .
• Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORGUNIT” : [“ouid111”, “ouid112”]} .

Used only when tags are specified in the ResourceTags property. If this property is True, resources with the specified tags are not in scope of the policy. If it's False, only resources with the specified tags are in scope of the policy.

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include from the policy.

Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

This is used for the policy's IncludeMap.

You can specify account IDs, OUs, or a combination:

• Specify account IDs by setting the key to ACCOUNT . For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”]} .
• Specify OUs by setting the key to ORGUNIT . For example, the following is a valid map: {“ORGUNIT” : [“ouid111”, “ouid112”]} .
• Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORGUNIT” : [“ouid111”, “ouid112”]} .

Contains one or more IP addresses or blocks of IP addresses specified in Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports IPv4 address ranges: /8 and any range between /16 through /32. AWS WAF supports IPv6 address ranges: /24, /32, /48, /56, /64, and /128.

Defines Name of your web application firewall.

Replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy - Default is False

Defines a Set of Custom Rules and AWS ManagedRulesGroups.

Defines a Set of Custom Rules and AWS ManagedRulesGroups.

The RegexPatternSet specifies the regular expression (regex) pattern that you want AWS WAF to search for, such as B[a@]dB[o0]t. You can then configure AWS WAF to reject those requests.

Indicates if the policy should be automatically applied to new resources.

Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.

An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also ExcludeResourceTags.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be

• an Application Load Balancer (ALB),
• an Amazon API Gateway REST API,
• an AWS AppSync GraphQL API,
• an Amazon Cognito user pool,
• an AWS App Runner service,
• or an AWS Verified Access instance.

Valid Values are CLOUDFRONT and REGIONAL.

The type of resource protected by or in scope of the policy. To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.

enum for supportd webacl types