Resources: TestWebACLForCFN: Type: AWS::WAFv2::WebACL Properties: Name: SampleWAF Scope: CLOUDFRONT Description: Sample WAF to test rules DefaultAction: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: SampleWAF Rules: - Name: AWS-AWSManagedRulesCommonRuleSet Priority: 0 Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet RuleActionOverrides: - Name: CrossSiteScripting_QUERYARGUMENTS ActionToUse: Count: { } OverrideAction: None: { } VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: AWS-AWSManagedRulesCommonRuleSet - Name: XSSException Priority: 1 Action: Block: { } VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: XSSExceptionMetric Statement: AndStatement: Statements: - LabelMatchStatement: Scope: LABEL Key: awswaf:managed:aws:core-rule-set:CrossSiteScripting_QueryArguments - NotStatement: Statement: ByteMatchStatement: FieldToMatch: UriPath: { } PositionalConstraint: CONTAINS SearchString: SamplePage.php TextTransformations: - Type: NONE Priority: 0 - Name: country-level Priority: 2 Action: Count: { } VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: country-level Statement: GeoMatchStatement: CountryCodes: - US - Name: region-rate-limit Priority: 3 Action: Block: { } VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: region-rate-limit Statement: RateBasedStatement: Limit: 1000 AggregateKeyType: IP ScopeDownStatement: LabelMatchStatement: Scope: LABEL Key: awswaf:clientip:geo:region:US-OR