AWS Route 53 Resolver Firewall Rule

This page shows how to write Terraform and CloudFormation for Route 53 Resolver Firewall Rule and write them securely.

aws_route53_resolver_firewall_rule (Terraform)

The Firewall Rule in Route 53 Resolver can be configured in Terraform with the resource name aws_route53_resolver_firewall_rule. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following argument is supported:

  • name - (Required) A name that lets you identify the rule, to manage and use it.
  • action - (Required) The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list. Valid values: ALLOW, BLOCK, ALERT.
  • block_override_dns_type - (Required if block_response is OVERRIDE) The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Value values: CNAME.
  • block_override_domain - (Required if block_response is OVERRIDE) The custom DNS record to send back in response to the query.
  • block_override_ttl - (Required if block_response is OVERRIDE) The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Minimum value of 0. Maximum value of 604800.
  • block_response - (Required if action is BLOCK) The way that you want DNS Firewall to block the request. Valid values: NODATA, NXDOMAIN, OVERRIDE.
  • firewall_domain_list_id - (Required) The ID of the domain list that you want to use in the rule.
  • firewall_rule_group_id - (Required) The unique identifier of the firewall rule group where you want to create the rule.
  • priority - (Required) The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the rule.

Explanation in Terraform Registry

Provides a Route 53 Resolver DNS Firewall rule resource.

AWS::Route53Resolver::FirewallRuleGroup FirewallRule (CloudFormation)

The FirewallRuleGroup FirewallRule in Route53Resolver can be configured in CloudFormation with the resource name AWS::Route53Resolver::FirewallRuleGroup FirewallRule. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

Action The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

  • ALLOW - Permit the request to go through.
  • ALERT - Permit the request to go through but send an alert to the logs.
  • BLOCK - Disallow the request. If this is specified,then BlockResponse must also be specified.

if BlockResponse is OVERRIDE, then all of the following OVERRIDE attributes must be specified:

  • BlockOverrideDnsType
  • BlockOverrideDomain
  • BlockOverrideTtlRequired: Yes
    Type: String
    Allowed values: ALERT | ALLOW | BLOCK
    Update requires: No interruption

BlockOverrideDnsType The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
Required: No
Type: String
Allowed values: CNAME
Update requires: No interruption

BlockOverrideDomain The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
Required: No
Type: String
Minimum: 1
Maximum: 255
Update requires: No interruption

BlockOverrideTtl The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
Required: No
Type: Integer
Update requires: No interruption

BlockResponse The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.

  • NODATA - Respond indicating that the query was successful, but no response is available for it.
  • NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
  • OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.Required: No
    Type: String
    Allowed values: NODATA | NXDOMAIN | OVERRIDE
    Update requires: No interruption

FirewallDomainListId The ID of the domain list that's used in the rule.
Required: Yes
Type: String
Minimum: 1
Maximum: 64
Update requires: No interruption

Priority The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Required: Yes
Type: Integer
Update requires: No interruption

Explanation in CloudFormation Registry

A single firewall rule in a rule group.

Frequently asked questions

What is AWS Route 53 Resolver Firewall Rule?

AWS Route 53 Resolver Firewall Rule is a resource for Route 53 Resolver of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.