-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNetworkFirewall.yaml
61 lines (54 loc) · 2.88 KB
/
NetworkFirewall.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Parameters:
FWVPCId:
Description: VPC to create the firewall in
Type: AWS::EC2::VPC::Id
FWSubnet1:
Type: AWS::EC2::Subnet::Id
Description: The first subnet to create the firewall in
FWSubnet2:
Type: AWS::EC2::Subnet::Id
Description: The second subnet to create the firewall in
Resources:
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html
EpicFirewall:
Type: AWS::NetworkFirewall::Firewall
Properties:
FirewallName: EpicNetworkFirewall
FirewallPolicyArn: !Ref EpicFWPolicy
VpcId: !Ref FWVPCId
SubnetMappings:
- SubnetId: !Ref FWSubnet1
- SubnetId: !Ref FWSubnet2
Description: Firewall for Epic traffic incoming from Internet
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewallpolicy.html
EpicFWPolicy:
Type: AWS::NetworkFirewall::FirewallPolicy
Properties:
FirewallPolicyName: ManagedEpicFWPolicy
FirewallPolicy:
StatelessDefaultActions:
- 'aws:pass'
StatelessFragmentDefaultActions:
- 'aws:drop'
StatefulRuleGroupReferences:
- ResourceArn: 'arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/ThreatSignaturesIOCActionOrder'
- ResourceArn: 'arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/ThreatSignaturesEmergingEventsActionOrder'
- ResourceArn: 'arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/ThreatSignaturesExploitsActionOrder'
- ResourceArn: 'arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/ThreatSignaturesMalwareActionOrder'
- ResourceArn: 'arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetWindowsActionOrder'
- ResourceArn: 'arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetWebActionOrder'
- ResourceArn: 'arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup/ThreatSignaturesBotnetActionOrder'
Description: Epic FW Policy containing AWS Managed stateful rule groups
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html
RouteInspectionTGW1toFW:
Type: AWS::EC2::Route
Properties:
RouteTableId: !ImportValue EpicRO-InspectionTGW1RT
DestinationCidrBlock: 0.0.0.0/0
VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'a:', !Join [ ',', !GetAtt EpicFirewall.EndpointIds ] ] ] ] ]
RouteInspectionTGW2toFW:
Type: AWS::EC2::Route
Properties:
RouteTableId: !ImportValue EpicRO-InspectionTGW2RT
DestinationCidrBlock: 0.0.0.0/0
VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'b:', !Join [ ',', !GetAtt EpicFirewall.EndpointIds ] ] ] ] ]