Interface WafProps

CIDR blocks allowed to access the application

ARN of an existing global (CLOUDFRONT-scoped) WAF Web ACL to associate with CloudFront distributions. Must be in us-east-1. Only used when skipGlobalDefaultWaf is true.

ARN of an existing regional WAF Web ACL to associate with API Gateway and Cognito. Only used when skipRegionalDefaultWaf is true.

Skip creating the default global (CLOUDFRONT-scoped) WAF.

When true, no global WAF is created. CloudFront distributions (client UI and admin UI) will have no WAF protection unless you provide an existing WAF ARN via globalWafArn. This means no IP allowlisting, rate limiting, or managed rules on the frontend.

For non-us-east-1 deployments that want automatic global WAF creation, leave this false and configure additional_stacks: [{region: 'us-east-1'}] in mdaa.yaml instead.

Use cases: using AWS Firewall Manager, providing a pre-created global WAF via globalWafArn, or intentionally running without CloudFront WAF protection.

Skip creating the default regional WAF.

When true, no regional WAF is created. API Gateway and Cognito will have no WAF protection unless you provide an existing WAF ARN via regionalWafArn.

Use cases: using AWS Firewall Manager, or providing a pre-created regional WAF.

Custom WAF rules with priorities