Collector "AWS-WAFV2" Configuration Manual¶

Before reading this document, please read:

Cloud Integration

Tip

Before using this collector, you must install the "Integration Core Package" and its accompanying third-party dependencies.

1. Configuration Structure¶

The configuration structure of this collector is as follows:

Field	Type	Required	Description
`regions`	list	Required	List of regions to be collected
`regions[#]`	str	Required	Region ID. For example: `'cn-north-1'` See appendix for the complete list

2. Configuration Examples¶

Specify Region¶

Collect instance data from Ningxia and Beijing regions

collector_configs = {
    'regions': [ 'cn-northwest-1', 'cn-north-1' ]
}

Configure Filter (Optional)¶

This collector script supports custom filters, allowing users to filter target resources based on object attributes. The filter function returns True or False.

True: The target resource should be collected.
False: The target resource should not be collected.

Supported object attributes for filtering:

Attribute	Description
Name	Name of the network ACL
Id	Unique identifier of the network ACL
ARN	Amazon Resource Name of the entity

# Example: Enable filter and filter based on the DBInstanceIdentifier and Engine attributes of the object. The configuration format is as follows:
def filter_instance(instance):
    '''
    Collect instances where Name is xxx and Id is xxx1
    '''
    # return True
    instance_id = instance['Name']
    instance_engine = instance['Id']
    if instance_id in ['xxx'] and instance_engine in ['xxx1']:
        return True
    return False


@DFF.API('AWS-WAF Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
    Runner(main.DataCollector(account, collector_configs, filters=[filter_instance])).run()

3. Data Reporting Format¶

After data is successfully synchronized, you can view the data in the "Infrastructure - Resource Catalog" of TrueWatch.

Example of reported data:

{
  "measurement": "aws_wafv2",
  "tags": {
    "ARN"                     : "arn   : aws-cn: xxxx",
    "Capacity"                : "4",
    "Id"                      : "244f5c42-xxxx",
    "LabelNamespace"          : "awswaf: xxxx",
    "ManagedByFirewallManager": "False",
    "RegionId"                : "cn-north-1",
    "name"                    : "zsh_test_waf"
  },
  "fields": {
    "DefaultAction"   : "{Action to be taken if none of the rules in the WebACL match}",
    "Description"     : "{Description of the webACL}",
    "LockToken"       : "xxxx",
    "Rules"           : "[Rule statements used to identify web requests to manage]",
    "VisibilityConfig": "{Defines and enables AmazonCloudWatch metrics and web request sample collection}",
    "message"         : "{Instance JSON data}"
  }
}

Note

The fields in tags and fields may change with subsequent updates.

Tip

The value of tags.name is the instance ID, which serves as a unique identifier.

Tip

fields.message and fields.Endpoint are both JSON serialized strings.

4. IAM Policy Permissions¶

Note

If users use the method of bringing in IAM roles to collect resources, certain operation permissions need to be enabled.

This collector requires the following permissions:

wafv2:ListWebACLs

wafv2:GetWebACL

X. Appendix¶

Please refer to the AWS official documentation: