How to configure WAF Config for AWS WAF v2
AWS WAF v2Old PlanNew PlanAdvancedLegacyUsage
Overview
This article explains how to configure the WAF Config for AWS WAF v2.
The credential configuration must be completed before proceeding. If you have not completed the Credential configuration and do not have any Credential Store registered, please complete the Credential configuration first.
Procedure
- Click [WAF] on the left menu
- Click [Add] on the upper right corner of the WAF Config section.
- Select the registered Credential.
- Select the region where the target web ACL exists.
- If you are using the old plan, choose [V2] under [WebACL version].
[V2] refers to AWS WAF v2.
This option does not exist for the new plan users because only AWS WAF v2 is available.
- Click [Get web ACLs].
- Select the web ACL you want to apply WafCharm to and click [Next].
If you check the [Show configured web ACLs] checkbox, you can see the list of web ACLs currently using WafCharm.
Please keep in mind that you cannot re-register WafCharm for the web ACLs that already have WafCharm configured.
- Check the WAF Config name.
The web ACL name will automatically be entered. You can change the name to another value as well.
- If you are using the new plan, select a rule policy from the [Rule policy] drop-down menu. If you are using the old plan, this option will be unavailable.
Advanced: This is a new rule structure released with the WafCharm Console. It allows the configuration of rules such as rate-based rules, geo-match rules, and bot rules.
Legacy: A rule structure that has been available from the old WafCharm Dashboard. It allows the configuration of IP address-related rules.
- Select the Credential Store.
This is the credential information WafCharm uses to update your web ACL.
You do not have to use the same credential store used to search web ACLs.
- Follow the steps below based on the rule policy you chose in the previous steps.
If you chose the Advanced rule policy
- Configure each rule type in the [Rule configuration].
- IP addresses
- Geo-match
- Rate-based
- Bot
- Regular expressions (regex)
- Exceptions
- Configure WAF log integrations in [Log and Notification configuration].
How to configure WAF log integration (new method) for AWS WAF v2 Advanced
If you enable WAF log retrieval, several features, such as dynamic denylist, will also be enabled.
If you want to use these features, check the [Enable WAF log retrieval] checkbox and complete the configurations by following the instructions on the page.
If your WAF logs contain personal information, please refer to the AWS document [Web ACL logging configuration] and redact those fields beforehand.
- Confirm the registered information and click [Add].
If you want to adjust the configurations, click the [Go back] button to fix any settings.
- Wait for the loading icon to the left of the WAF Config you registered to turn into a green check mark.
If you chose the Legacy rule policy
- Configure each rule type in the [Rule configuration].
Rule configurations in WAF Config (AWS WAF v2)
- IP addresses
- Exceptions
- Complete the log-related configurations in the [Log and Notification configuration].
How to configure access logs/WAF log integration for AWS WAF v2 Legacy
- Access log retrieval (required for ALB and CloudFront users)
- WAF log integration (optional)
- WAF log alert (optional)
Enabling WAF log retrieval is optional. If you want to refrain from configuring this option, do not check the [Enable WAF log retrieval] checkbox under the [WAF log retrieval] tab when adding a WAF Config. In addition, please avoid configuring the old method (Lambda method).
- Confirm the registered information and click [Add].
If you want to adjust the configurations, click the [Go back] button to fix any settings.
- Wait for the loading icon to the left of the WAF Config you registered to turn into a green check mark.