# AWS WAF
AWS Systems Manager Automation provides predefined runbooks for AWS WAF. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [`AWS-AddWAFRegionalRuleToRuleGroup`](AWS-AddWAFRegionalRuleToRuleGroup.md)
+ [`AWS-AddWAFRegionalRuleToWebAcl`](AWS-AddWAFRegionalRuleToWebAcl.md)
+ [`AWSConfigRemediation-EnableWAFClassicLogging`](automation-aws-enable-waf-logging.md)
+ [`AWSConfigRemediation-EnableWAFClassicRegionalLogging`](automation-aws-enable-waf-reg-logging.md)
+ [`AWSConfigRemediation-EnableWAFV2Logging`](automation-aws-enable-wafv2-logging.md)
# `AWS-AddWAFRegionalRuleToRuleGroup`
**Description**
The `AWS-AddWAFRegionalRuleToRuleGroup` runbook adds an existing AWS WAF regional rule to a AWS WAF regional rule group. Only AWS WAF Classic regional rule groups are supported. AWS WAF Classic regional rule groups can have a maximum of 10 rules.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-AddWAFRegionalRuleToRuleGroup)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ RuleGroupId
Type: String
Description: (Required) The ID of the rule group that you want to update.
+ RulePriority
Type: Integer
Description: (Required) The priority for the new rule. Rule priority determines the order in which rules in a regional group are evaluated. Rules with a lower value have higher priority than rules with a higher value. The value must be a unique integer. If you add multiple rules to a regional rule group, the values don't have to be consecutive.
+ RuleId
Type: String
Description: (Required) The ID for the rule that you want to add to your regional rule group.
+ RuleAction
Type: String
Description: (Required) Specifies the action that AWS WAF takes when a web request matches the conditions of the rule.
Valid values: ALLOW \$1 BLOCK \$1 COUNT
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `waf-regional:GetChangeToken`
+ `waf-regional:GetChangeTokenStatus`
+ `waf-regional:ListActivatedRulesInRuleGroup`
+ `waf-regional:UpdateRuleGroup`
**Document Steps**
+ GetWAFChangeToken (aws:executeAwsApi) - Retrieves a AWS WAF change token to ensure the runbook doesn't submit conflicting requests to the service.
+ AddWAFRuleToWAFRegionalRuleGroup (aws:executeScript) - Adds the specified rule to the AWS WAF regional rule group.
+ VerifyChangeTokenPropagating (aws:waitForAwsResourceProperty) - Verifies the change token has a status of `PENDING` or `INSYNC`.
+ VerifyRuleAddedToRuleGroup (aws:executeScript) - Verifies the specified AWS WAF rule was added to the target regional rule group.
**Outputs**
+ VerifyRuleAddedToRuleGroup.VerifyRuleAddedToRuleGroupResponse - Output of the step verifying that the new rule was aded to the regional rule group.
+ VerifyRuleAddedToRuleGroup.ListActivatedRulesInRuleGroupResponse - Output of the `ListActivatedRulesInRuleGroup` API operation.
# `AWS-AddWAFRegionalRuleToWebAcl`
**Description**
The `AWS-AddWAFRegionalRuleToWebAcl` runbook adds an existing AWS WAF regional rule, rule group or rate-based rule to a AWS WAF Classic regional web access control list (ACL). This runbook doesn't update existing AWS WAF Classic regional web ACL’s that are managed by AWS Firewall Manager.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-AddWAFRegionalRuleToWebAcl)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ WebACLId
Type: String
Description: (Required) The ID of the web ACL that you want to update.
+ ActivatedRulePriority
Type: Integer
Description: (Required) The priority for the new rule. Rule priority determines the order in which rules in a web ACL are evaluated. Rules with a lower value have higher priority than rules with a higher value. The value must be a unique integer. If you add multiple rules to a regional web ACL, the values don't have to be consecutive.
+ ActivatedRuleRuleId
Type: String
Description: (Required) The ID for the regular rule, rate-based rule, or group you want to add to the web ACL.
+ ActivatedRuleAction
Type: String
Valid values: ALLOW \$1 BLOCK \$1 COUNT
Description: (Optional) Specifies the action that AWS WAF takes when a web request matches the conditions of the rule.
+ ActivatedRuleType
Type: String
Valid values: REGULAR \$1 RATE\$1BASED \$1 GROUP
Default: REGULAR
Description: (Optional) The rule type you're adding to the web ACL. Although this field is optional, note that if you try to add a `RATE_BASED` rule to a web ACL without setting the type, the request fails because the request defaults to a `REGULAR` rule.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `waf-regional:GetChangeToken`
+ `waf-regional:GetWebACL`
+ `waf-regional:UpdateWebACL`
**Document Steps**
+ DetermineWebACLNotInFMSAndRulePriority (aws:executeScript) - Verifies if the AWS WAF web ACL is in a Firewall Manager security policy and verifies the priority ID doesn't conflict with an existing ACL.
+ AddRuleOrRuleGroupToWebACL (aws:executeScript) - Adds the specified rule to the AWS WAF web ACL.
+ VerifyRuleOrRuleGroupAddedToWebAcl (aws:executeScript) - Verifies the specified AWS WAF rule was added to the target web ACL.
**Outputs**
+ DetermineWebACLNotInFMSAndRulePriority.PrereqResponse: Output from the `DetermineWebACLNotInFMSAndRulePriority` step.
+ VerifyRuleOrRuleGroupAddedToWebAcl.VerifyRuleOrRuleGroupAddedToWebACLResponse: Output from the `AddRuleOrRuleGroupToWebACL` step.
+ VerifyRuleOrRuleGroupAddedToWebAcl.ListActivatedRulesOrRuleGroupsInWebACLResponse: Output of the `VerifyRuleOrRuleGroupAddedToWebAcl` step.
# `AWSConfigRemediation-EnableWAFClassicLogging`
**Description**
The `AWSConfigRemediation-EnableWAFClassicLogging` runbook enables logging to Amazon Data Firehose (Firehose) for the AWS WAF web access control list (web ACL) you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableWAFClassicRegionalLogging)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DeliveryStreamName
Type: String
Description: (Required) The name of the Firehose delivery stream that you want to send logs to.
+ WebACLId
Type: String
Description: (Required) The ID of the AWS WAF web ACL that you want to enable logging on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `iam:CreateServiceLinkedRole`
+ `waf:GetLoggingConfiguration`
+ `waf:GetWebAcl `
+ `waf:PutLoggingConfiguration `
**Document Steps**
+ `aws:executeAwsApi` - Confirms the delivery stream you specify in the `DeliveryStreamName` exists.
+ `aws:executeAwsApi` - Gathers the ARN of the AWS WAF web ACL specified in the `WebACLId` parameter.
+ `aws:executeAwsApi` - Enables logging for the web ACL.
+ `aws:assertAwsResourceProperty` - Verifies logging has been enabled on the AWS WAF web ACL.
# `AWSConfigRemediation-EnableWAFClassicRegionalLogging`
**Description**
The `AWSConfigRemediation-EnableWAFClassicRegionalLogging` runbook enables logging to Amazon Data Firehose (Firehose) for the AWS WAF web access control list (ACL) you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableWAFClassicRegionalLogging)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ LogDestinationConfigs
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the Firehose delivery stream that you want to send logs to.
+ WebACLId
Type: String
Description: (Required) The ID of the AWS WAF web ACL that you want to enable logging on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `iam:CreateServiceLinkedRole`
+ `waf-regional:GetLoggingConfiguration`
+ `waf-regional:GetWebAcl `
+ `waf-regional:PutLoggingConfiguration `
**Document Steps**
+ `aws:executeAwsApi` - Gathers the ARN of the AWS WAF web ACL specified in the `WebACLId` parameter.
+ `aws:executeAwsApi` - Enables logging for the web ACL.
+ `aws:assertAwsResourceProperty` - Verifies logging has been enabled on the AWS WAF web ACL.
# `AWSConfigRemediation-EnableWAFV2Logging`
**Description**
The `AWSConfigRemediation-EnableWAFV2Logging` runbook enables logging for an AWS WAF (AWS WAFV2) web access control list (web ACL) with the specified Amazon Data Firehose (Firehose) delivery stream.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableWAFV2Logging)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ LogDestinationConfigs
Type: String
Description: (Required) The Firehose delivery stream ARN that you want to associate with the web ACL.
**Note**
The Firehose delivery stream ARN must begin with the prefix `aws-waf-logs-` . For example, `aws-waf-logs-us-east-2-analytics` . For more information, see [Amazon Data Firehose](https://docs.aws.amazon.com/waf/latest/developerguide/logging-kinesis.html) .
+ WebAclArn
Type: String
Description: (Required) ARN of the web ACL for which logging will be enabled.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `firehose:DescribeDeliveryStream`
+ `wafv2:PutLoggingConfiguration`
+ `wafv2:GetLoggingConfiguration`
**Document Steps**
+ `aws:executeScript` - Enables logging for the AWS WAFV2 web ACL and verifies that the logging has the specified configuration.