fms-webacl-resource-policy-check

Checks if the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions. When AWS Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId in the FMS policy and can optionally enable remediation.

Identifier: FMS_WEBACL_RESOURCE_POLICY_CHECK

Resource Types: AWS::CloudFront::Distribution, AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::WAFRegional::WebACL

Trigger type: Configuration changes

AWS Region: All supported AWS regions except US ISO West (Northern California), US ISO East, Asia Pacific (Malaysia), US ISOB East (Ohio), Canada West (Calgary) Region

Parameters:

webACLId
Type: String: The WebACLId of the web ACL.
resourceTags (Optional)
Type: String: The resource tags (ApplicationLoadBalancer, ApiGatewayStage and CloudFront distributions) that the rule should be associated with. (for example, { "tagKey1" : ["tagValue1"], "tagKey2" : ["tagValue2", "tagValue3"] })
excludeResourceTags (Optional)
Type: boolean: If true, exclude resources that match resourceTags.
fmsManagedToken (Optional)
Type: String: A token generated by AWS Firewall Manager when creating the rule in customer account. AWS Config ignores this parameter when customer creates this rule.
fmsRemediationEnabled (Optional)
Type: boolean: If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

fms-shield-resource-policy-check

fms-webacl-rulegroup-association-check