This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
Home Page: https://aws.amazon.com/solutions/aws-waf-security-automations
License: Apache License 2.0
I see custom-resource.py is handling stack update in a destructive manner:
def update_stack(stack_name, resource_properties):
print("[update_stack] Start")
delete_stack(stack_name, resource_properties)
create_stack(resource_properties)
print("[update_stack] End")
Is there a reason to do it this way? With this any changes made to the whitelist and any additional custom waf rules we add will be lost. Of course there doesn't seem anything to invoke updates on custom resources or I missed it.
Can we have some guidance on managing updates to this stack without any data loss? We do edit the stack and deploy additional rules but even without those there is a risk of data loss
Hi,
I've deployed this solution to test it with our application and so far so good. I have one concern regarding the log reader lambda function and DDos attack protection. There are several URL's in our application that generate numerous page requests; we don't want to add IP's making those requests to end up blocked. Is there a way to "whitelist" application URL's? I only see a way to whitelist IP adresses.
Thanks.
Hi,
After multiple deployments of CloudFormation stack using aws-waf-security-automations-alb.template, i realized there are 2 versions of the template.
Template from docs.aws.amazon.com is different than Github awslabs/aws-waf-security-automations/deployment/.
I jumped to search for WAF template in Github directly discovered the stack fails to build when using Github version.
Please address the differences as this can cause potential confusion.
$ ./build-s3-dist.sh elasticbeanstalk-us-east-1-937929xxxxx
rm -rf dist
mkdir -p dist
Staring to build distribution
------------------------------------------------------------------------------
Updating Templates
------------------------------------------------------------------------------
cp -f aws-waf-security-automations.template dist
cp -f aws-waf-security-automations-alb.template dist
Updating code source bucket in template with elasticbeanstalk-us-east-1-937929xxxxx
sed -i '' -e s/%%BUCKET_NAME%%/elasticbeanstalk-us-east-1-937929xxxxx/g dist/aws-waf-security-automations.template
sed: can't read : No such file or directory
sed -i '' -e s/%%BUCKET_NAME%%/elasticbeanstalk-us-east-1-937929xxxxx/g dist/aws-waf-security-automations-alb.template
sed: can't read : No such file or directory
------------------------------------------------------------------------------
Hi,
Yesterday I came across this news :
https://aws.amazon.com/about-aws/whats-new/2017/05/limit-increase-for-ipset-conditions-for-aws-waf/
The limit per ipset was increased to from 1000 to 10 000 about a month ago.
The reputation list parser has not been updated to reflect that change and so both list #1 and #2 still only include up to 1000 ip.
Looking at :
https://github.com/awslabs/aws-waf-security-automations/blob/master/code/reputation-lists-parser/reputation-lists-parser.js
We can see the variable "var maxDescriptorsPerIpSet = 1000;"
I changed it directly in my lambda function to "var maxDescriptorsPerIpSet = 10000;"
Waited 1 hour for the function tu run again. And it seems to work perfectly.
Before we only had 2 000 entry in the 2 ipset and now I have the whole close to 12 000 entry.
Could it be interesting to update this template to reflect that change?
Hi,
When i try to do deployment as per the instruction, I am getting result of
"found 64 vulnerabilities (11 low, 39 moderate, 14 high) in 4042 scanned packages
run npm audit fix to fix 1 of them."
I tried to updated npm but no luck, I am running with npm 6.4.1 & node 8.15
I am not a developer and new to this Git. Just wanted to check, will those vulnerabilities cause any issue if i use this waf template? Kindly suggest.
LogParser is supposed to have an REQUEST_PER_MINUTE_LIMIT environment variable that references the RequestThreshold parameter. Because it doesnt, the function get_outstanding_requesters never fully runs and the entire lambda is useless.
Please merge the relevant pull request, or add the relevant code to your own cloudformation stack if you are a user.
We would like to block an IP address after an unusual amount of invalid login attempts. Our API returns a 401 status code for these attempts, however the log parser only matches against a list of ['400','403','404','405']
Make BLOCK_ERROR_CODES an environment variable and change the implementation to use a Regex instead of a list
The xss rules blocks the uploads of some images from the WP backoffice.
I deleted the rule "Body contains a cross-site scripting threat after decoding as URL" and it stopped to block the uploads".
Third times usually a charm however I seem to be stuck here:
API: iam:CreateRole User: arn:aws:sts::xxxxxxxxxxxxxxxx:assumed-role/Technical-Magic-AWS-WAF-Role/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxxxxxxxxxxxxxx:role/Technical-Magic-AWS-WAF-Stack-SolutionHelperRole-XXXXXXXXXXXXXXX
I have created a Role (Technical-Magic-AWS-WAF-Role) and assigned the policy: arn:aws:iam::aws:policy/AWSWAFFullAccess and pointed to it during the initial configuration phase of the Stack template however I'm stumped as to how to move forward with this.
There is no iam:CreateRole in the list of polices. I do see an IAMFullAccess but unsure if that is too powerful. Perhaps if I use that on a temp basis it might work? I HATE guessing however.
What are the (minimum) Roles that need to be assigned in order to implement this stack please?
Hi -
great work!
I'm getting a write failure (403) from Log-parser.py line 153:
response = s3.head_object(Bucket=environ['OUTPUT_BUCKET'], Key=OUTPUT_FILE_NAME)
An error occurred (403) when calling the HeadObject operation: Forbidden
I see the bucket does exist and the IAM policy is set to "Action": "s3:PutObject" for the upload file:
aws-waf-security-automations-current-blocked-ips.json
No errors from the download operation.
Any ideas?
Everything else is working great.
The cloudformation templates provided by this project have a number of failures from cfn-lint that could be addressed.
W3005 Obsolete DependsOn on resource (WAFWhitelistSet), dependency already enforced by a "Ref" at Resources/WAFWhitelistRule/Properties/Predicates/0/DataId/Ref/WAFWhitelistSet
aws-waf-security-automations-alb.template:378:7
W3005 Obsolete DependsOn on resource (WAFBlacklistSet), dependency already enforced by a "Ref" at Resources/WAFBlacklistRule/Properties/Predicates/0/DataId/Ref/WAFBlacklistSet
aws-waf-security-automations-alb.template:398:7
W3005 Obsolete DependsOn on resource (WAFScansProbesSet), dependency already enforced by a "Ref" at Resources/WAFScansProbesRule/Properties/Predicates/0/DataId/Ref/WAFScansProbesSet
aws-waf-security-automations-alb.template:418:7
W3005 Obsolete DependsOn on resource (WAFReputationListsSet1), dependency already enforced by a "Ref" at Resources/WAFIPReputationListsRule1/Properties/Predicates/0/DataId/Ref/WAFReputationListsSet1
aws-waf-security-automations-alb.template:438:7
E3012 Property Resources/WAFIPReputationListsRule1/Properties/Predicates/0/Negated should be of type Boolean
aws-waf-security-automations-alb.template:451:11
W3005 Obsolete DependsOn on resource (WAFReputationListsSet2), dependency already enforced by a "Ref" at Resources/WAFIPReputationListsRule2/Properties/Predicates/0/DataId/Ref/WAFReputationListsSet2
aws-waf-security-automations-alb.template:458:7
E3012 Property Resources/WAFIPReputationListsRule2/Properties/Predicates/0/Negated should be of type Boolean
aws-waf-security-automations-alb.template:471:11
W3005 Obsolete DependsOn on resource (WAFBadBotSet), dependency already enforced by a "Ref" at Resources/WAFBadBotRule/Properties/Predicates/0/DataId/Ref/WAFBadBotSet
aws-waf-security-automations-alb.template:478:7
E3012 Property Resources/WAFBadBotRule/Properties/Predicates/0/Negated should be of type Boolean
aws-waf-security-automations-alb.template:491:11
W3005 Obsolete DependsOn on resource (WAFSqlInjectionDetection), dependency already enforced by a "Ref" at Resources/WAFSqlInjectionRule/Properties/Predicates/0/DataId/Ref/WAFSqlInjectionDetection
aws-waf-security-automations-alb.template:498:7
W3005 Obsolete DependsOn on resource (WAFXssDetection), dependency already enforced by a "Ref" at Resources/WAFXssRule/Properties/Predicates/0/DataId/Ref/WAFXssDetection
aws-waf-security-automations-alb.template:518:7
W3005 Obsolete DependsOn on resource (WAFWhitelistRule), dependency already enforced by a "Ref" at Resources/WAFWebACL/Properties/Rules/0/RuleId/Ref/WAFWhitelistRule
aws-waf-security-automations-alb.template:538:7
W3005 Obsolete DependsOn on resource (LambdaRoleLogParser), dependency already enforced by a "Fn:GetAtt" at Resources/LambdaWAFLogParserFunction/Properties/Role/Fn::GetAtt/['LambdaRoleLogParser', 'Arn']
aws-waf-security-automations-alb.template:680:7
W3005 Obsolete DependsOn on resource (WAFBlacklistSet), dependency already enforced by a "Ref" at Resources/LambdaWAFLogParserFunction/Properties/Environment/Variables/IP_SET_ID_BLACKLIST/Ref/WAFBlacklistSet
aws-waf-security-automations-alb.template:680:7
W3005 Obsolete DependsOn on resource (WAFScansProbesSet), dependency already enforced by a "Ref" at Resources/LambdaWAFLogParserFunction/Properties/Environment/Variables/IP_SET_ID_AUTO_BLOCK/Ref/WAFScansProbesSet
aws-waf-security-automations-alb.template:680:7
E3012 Property Resources/LambdaWAFLogParserFunction/Properties/MemorySize should be of type Integer
aws-waf-security-automations-alb.template:739:9
E3012 Property Resources/LambdaWAFLogParserFunction/Properties/Timeout should be of type Integer
aws-waf-security-automations-alb.template:740:9
W3005 Obsolete DependsOn on resource (LambdaWAFLogParserFunction), dependency already enforced by a "Fn:GetAtt" at Resources/LambdaInvokePermissionLogParser/Properties/FunctionName/Fn::GetAtt/['LambdaWAFLogParserFunction', 'Arn']
aws-waf-security-automations-alb.template:746:7
W3005 Obsolete DependsOn on resource (LambdaRoleReputationListsParser), dependency already enforced by a "Fn:GetAtt" at Resources/LambdaWAFReputationListsParserFunction/Properties/Role/Fn::GetAtt/['LambdaRoleReputationListsParser', 'Arn']
aws-waf-security-automations-alb.template:876:7
E3012 Property Resources/LambdaWAFReputationListsParserFunction/Properties/MemorySize should be of type Integer
aws-waf-security-automations-alb.template:897:9
E3012 Property Resources/LambdaWAFReputationListsParserFunction/Properties/Timeout should be of type Integer
aws-waf-security-automations-alb.template:898:9
W3005 Obsolete DependsOn on resource (LambdaWAFReputationListsParserFunction), dependency already enforced by a "Fn:GetAtt" at Resources/LambdaWAFReputationListsParserEventsRule/Properties/Targets/0/Arn/Fn::GetAtt/['LambdaWAFReputationListsParserFunction', 'Arn']
aws-waf-security-automations-alb.template:914:7
W3005 Obsolete DependsOn on resource (WAFReputationListsSet1), dependency already enforced by a "Ref" at Resources/LambdaWAFReputationListsParserEventsRule/Properties/Targets/0/Input/Fn::Join/1/8/Ref/WAFReputationListsSet1
aws-waf-security-automations-alb.template:914:7
W3005 Obsolete DependsOn on resource (WAFReputationListsSet2), dependency already enforced by a "Ref" at Resources/LambdaWAFReputationListsParserEventsRule/Properties/Targets/0/Input/Fn::Join/1/11/Ref/WAFReputationListsSet2
aws-waf-security-automations-alb.template:914:7
W3005 Obsolete DependsOn on resource (LambdaWAFReputationListsParserFunction), dependency already enforced by a "Ref" at Resources/LambdaInvokePermissionReputationListsParser/Properties/FunctionName/Ref/LambdaWAFReputationListsParserFunction
aws-waf-security-automations-alb.template:954:7
W3005 Obsolete DependsOn on resource (LambdaWAFReputationListsParserEventsRule), dependency already enforced by a "Fn:GetAtt" at Resources/LambdaInvokePermissionReputationListsParser/Properties/SourceArn/Fn::GetAtt/['LambdaWAFReputationListsParserEventsRule', 'Arn']
aws-waf-security-automations-alb.template:954:7
W3005 Obsolete DependsOn on resource (LambdaRoleBadBot), dependency already enforced by a "Fn:GetAtt" at Resources/LambdaWAFBadBotParserFunction/Properties/Role/Fn::GetAtt/['LambdaRoleBadBot', 'Arn']
aws-waf-security-automations-alb.template:1075:7
E3012 Property Resources/LambdaWAFBadBotParserFunction/Properties/MemorySize should be of type Integer
aws-waf-security-automations-alb.template:1110:9
E3012 Property Resources/LambdaWAFBadBotParserFunction/Properties/Timeout should be of type Integer
aws-waf-security-automations-alb.template:1111:9
W3005 Obsolete DependsOn on resource (LambdaWAFBadBotParserFunction), dependency already enforced by a "Fn:GetAtt" at Resources/LambdaInvokePermissionBadBot/Properties/FunctionName/Fn::GetAtt/['LambdaWAFBadBotParserFunction', 'Arn']
aws-waf-security-automations-alb.template:1117:7
W3005 Obsolete DependsOn on resource (LambdaWAFBadBotParserFunction), dependency already enforced by a "Fn:GetAtt" at Resources/ApiGatewayBadBotMethodRoot/Properties/Integration/Uri/Fn::Join/1/3/Fn::GetAtt/['LambdaWAFBadBotParserFunction', 'Arn']
aws-waf-security-automations-alb.template:1150:7
W3005 Obsolete DependsOn on resource (ApiGatewayBadBot), dependency already enforced by a "Ref" at Resources/ApiGatewayBadBotMethodRoot/Properties/RestApiId/Ref/ApiGatewayBadBot
aws-waf-security-automations-alb.template:1150:7
W3005 Obsolete DependsOn on resource (ApiGatewayBadBot), dependency already enforced by a "Fn:GetAtt" at Resources/ApiGatewayBadBotMethodRoot/Properties/ResourceId/Fn::GetAtt/['ApiGatewayBadBot', 'RootResourceId']
aws-waf-security-automations-alb.template:1150:7
W3005 Obsolete DependsOn on resource (LambdaWAFBadBotParserFunction), dependency already enforced by a "Fn:GetAtt" at Resources/ApiGatewayBadBotMethod/Properties/Integration/Uri/Fn::Join/1/3/Fn::GetAtt/['LambdaWAFBadBotParserFunction', 'Arn']
aws-waf-security-automations-alb.template:1183:7
W3005 Obsolete DependsOn on resource (ApiGatewayBadBot), dependency already enforced by a "Ref" at Resources/ApiGatewayBadBotMethod/Properties/RestApiId/Ref/ApiGatewayBadBot
aws-waf-security-automations-alb.template:1183:7
W3005 Obsolete DependsOn on resource (ApiGatewayBadBotDeployment), dependency already enforced by a "Ref" at Resources/ApiGatewayBadBotStage/Properties/DeploymentId/Ref/ApiGatewayBadBotDeployment
aws-waf-security-automations-alb.template:1228:7
W3005 Obsolete DependsOn on resource (WAFWebACL), dependency already enforced by a "Ref" at Resources/LambdaRoleCustomResource/Properties/Policies/2/PolicyDocument/Statement/0/Resource/Fn::Join/1/5/Ref/WAFWebACL
aws-waf-security-automations-alb.template:1243:7
W3005 Obsolete DependsOn on resource (LambdaRoleCustomResource), dependency already enforced by a "Fn:GetAtt" at Resources/LambdaWAFCustomResourceFunction/Properties/Role/Fn::GetAtt/['LambdaRoleCustomResource', 'Arn']
aws-waf-security-automations-alb.template:1440:7
E3012 Property Resources/LambdaWAFCustomResourceFunction/Properties/MemorySize should be of type Integer
aws-waf-security-automations-alb.template:1458:9
E3012 Property Resources/LambdaWAFCustomResourceFunction/Properties/Timeout should be of type Integer
aws-waf-security-automations-alb.template:1459:9
W3005 Obsolete DependsOn on resource (LambdaWAFCustomResourceFunction), dependency already enforced by a "Fn:GetAtt" at Resources/WafWebAclRuleControler/Properties/ServiceToken/Fn::GetAtt/['LambdaWAFCustomResourceFunction', 'Arn']
aws-waf-security-automations-alb.template:1465:7
W3005 Obsolete DependsOn on resource (WAFWebACL), dependency already enforced by a "Ref" at Resources/WafWebAclRuleControler/Properties/WAFWebACL/Ref/WAFWebACL
aws-waf-security-automations-alb.template:1465:7
W3005 Obsolete DependsOn on resource (SolutionHelperRole), dependency already enforced by a "Fn:GetAtt" at Resources/SolutionHelper/Properties/Role/Fn::GetAtt/['SolutionHelperRole', 'Arn']
aws-waf-security-automations-alb.template:1665:7
E3012 Property Resources/SolutionHelper/Properties/Timeout should be of type Integer
aws-waf-security-automations-alb.template:1688:9
W3005 Obsolete DependsOn on resource (SolutionHelper), dependency already enforced by a "Fn:GetAtt" at Resources/CreateUniqueID/Properties/ServiceToken/Fn::GetAtt/['SolutionHelper', 'Arn']
aws-waf-security-automations-alb.template:1693:7
Automated Deployment of WAF in eu-central-1 (Frankfurt) is always failing with failure to create Custom::WafWebAclRuleControler. It works in us-east-1 (N. Virginia) though.
If I try to use an S3 bucket in us-east-1 which is created by Cloudformation deployment then I can't use this bucket for my ALB in eu-central-1 region, so I can't use this solution #3 (comment)
If I create a bucket in eu-central-1 region myself (or auto create with ALB) then the Cloudformation deployment in is failing with the same Custom::WafWebAclRuleControler error.
The Cloudformation stack is unique & short enough (less than 25 symbols) awswafwx975251 according to recommendation #3 (comment)
The name of the S3 bucket for logs is also unique & short enough (less than 25 symbols) prodapplbwx975251
It looks like the scan/probe parser is looking at field 8 which is elb_status_code instead of 9 which is target_status_code
https://github.com/awslabs/aws-waf-security-automations/blob/master/source/log-parser/log-parser.py#L47
We had a situation where the HTTP Flood rule kicked in and blocked an IP, so all of the ALB logs elb_status_code were 403 and target_status_code was "-". It appears the scan/probe parser then read those ALB 403s as bad requests and also kicked in blocking that IP.
I think it should only look at target_status_code for 4xx
First of all, thank you so much for this package. I have been in a nearly decade-long cat and mouse game with brute forcers/etc. on pages that require client access and cannot be simply IP gated. This package is much appreciated.
I seem to be able to put any value into this field (unlike the Rate-Limit WAF rules which will not allow a value lower than 2000 to be submitted). Is there a reason why the minimum has to be 2000 and issues will arise if set any lower?
In the CloudFormation template it has:
"RequestThreshold": {
"Type": "Number",
"Default": "2000",
"MinValue": "2000",
"Description": "If you chose yes for the Activate HTTP Flood Protection parameter, enter the maximum acceptable requests per FIVE-minute period per IP address. Minimum value of 2000. If you chose to deactivate this protection, ignore this parameter."
},
https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/deployment.html
"The minimum acceptable value is 2000."
The rules' metric names (MetricName) are not unique. When multiple stacks are used metrics become unusable. Multiple stacks are necessary for CI/CD but also required sometimes because of the way flood protection works. Lambda code also reference these hard coded metric names
There is a similar problem with the bucket event. When trying to do an A/B deployment of the WebACL the bucket configuration will fail for the new stack because the id is not unique. The s3 trigger configuration id is hard coded to "Call Log Parser". It should be prefixed with the stack name or some other unique identifier
Almost everyone needs to customize the stack but while it is an excellent starting point there are many things to fix and this makes it really hard to merge changes. It is an excellent first incarnation but will require a redesign at some point to make it easier to customize and update.
Deleting the waf stack fails with WAFReputationListsSet1 | Operation would result in exceeding resource limits
If I understand the problem correctly is the AWS management api limit which is account wide and cannot be increased.
From AWS support (from a similar case we had):
These actions have limits below 20 requests per second, and this limit is account wide. This is, even if this specific deployment made 41 calls to delete function over a few seconds, other control plane operations on the account would have contributed to this limit and reduce the effective limit further as far as the deployment action is concerned.
For that case we were told to modify our Lambda code to "delete resources more slowly". While I don't like the solution it seems to be the only solution at the moment so lambda code that deletes aws-waf-security-automations resources must be modified to delete "more slowly" (you can hear the sarcasm behind the quotes? :-)) otherwise is it bound to fail in busy accounts
ps: I can't praise enough the aws-waf-security-automations stack. The problem is not with the stack itself
Eric
To simplify deployment, I suggest configuring the Bucket Name as a parameter instead of generating new templates. I've a pull request with the updates. Also added yaml files & a generator script for those that prefer yaml.
The error "There was an error while saving rule AWSWAFSecurityAutomations-LambdaWAFReputationLists-BPSIVMXJZJP6.
Details: 1 validation error detected: Value 'AWSEvents_AWSWAFSecurityAutomations-LambdaWAFReputationLists-BPSIVMXJZJP6_LambdaWAFReputationListsParserFunction' at 'statementId' failed to satisfy constraint: Member must have length less than or equal to 100." is received when attempting to add add another URL, such as {"url":"https://reputation.alienvault.com/reputation.generic"}
to the lambda functions' Constant JSON text field.
Suggested fix is to have the Cloudformation store the contents of this input in an S3 bucket, then have the lambda function get the json text from S3, which will enable users to add more lists
Anonymous usage data is sent to awssolutionsbuilder.com according to
https://github.com/awslabs/aws-waf-security-automations/blob/beca5eb31b55dcba291b5ad1a91a0ba687292402/source/custom-resource/custom-resource.py#L423
This field is described as "Send anonymous data to AWS to help us understand solution usage across our customer base as a whole" according to https://github.com/awslabs/aws-waf-security-automations/blob/beca5eb31b55dcba291b5ad1a91a0ba687292402/deployment/aws-waf-security-automations-alb.template#L113
This data is not being sent to AWS, but instead is being sent to some third-party vendor, which you may not trust, even if the data is anonymous. Given that this project is hosted in the awslabs account, this affiliation with a third-party vendor is uncomfortable. I believe this usage reporting should be removed completely.
The regular expression there does not match the TorProjects list of ExitAddresses: https://check.torproject.org/exit-addresses
The only rule I see attach to the ACL on this when the build is done is the whitelist rule. The other rules exist but are not attached. You can attach them manually.
I just provisioned the Cloud formation stack using the template (https://s3.amazonaws.com/solutions-reference/aws-waf-security-automations/latest/aws-waf-security-automations.template)
I let the template create a test S3 bucket and uploaded one of our cloudfront logs to test the LambdaWAFLogParserFunction.
When the lambda executes it throws an error
An error occurred (403) when calling the HeadObject operation: Forbidden
when trying to execute
response = s3.head_object(Bucket=environ['OUTPUT_BUCKET'], Key=OUTPUT_FILE_NAME)
The file aws-waf-security-automations-current-blocked-ips.json does not exist in the bucket as it was never created and the lambda does not take this into account.
This leaves 2 options.
Anyone have a shell (basic format with needed fields) file laying about they care to share to save me from digging in the script and creating one?
Thanks
It'd be frighteningly useful if there were corresponding zips for supporting waf regional for elbv2 please, rather than modifying/s3'ing/rolling my own :)
Corcoran
Hello,
As I see the Physical ID in Ressources for WAF are like
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx.
But for the WafWebAclRuleControler the Physical ID is:
2017/05/23/[$LATEST]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
So the logs name too.
I didn't found in the console neither in the code why, it don't seems to perturb the system, but I don't tryed it in prod for now.
This code for me resulted in the error in the subject. I'm not much of a python person but I reproduced the problem locally and fixed it by assigning prev_update_at a value with the same tzinfo as the response['LastModified'], which comes from the head_object request for the aws-waf-security-automations-current-blocked-ips.json file.
Here was my fix, inserted after line 185:
prev_updated_at = prev_updated_at.replace(tzinfo=response['LastModified'].tzinfo)
The result of the error was the the merge list was computed improperly and I only ever had one blocked IP in my WAF rule.
I am using this as a starting point. I have made very few changes, however I am attempt to build this through a cloudformation script to run automatically. When it gets to the point for creating: Custom::WafWebAclRuleControler, it will failed. When reviewing the CloudWatch logs it indicates the DescribeStacks is getting access denied. When I run the same script that was modified under: https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=AWSWAFSecurityAutomations&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Faws-waf-security-automations%2Flatest%2Faws-waf-security-automations.template and point it towards my S3 bucket that it will run. I am trying to pinpoint why it is failing here.
Any direction on this would be great!
Thank you,
Jay
Ref: #23 - Not addressed in log_parser code. Resulting in tons of CloudTrail errors as the lambda is trying to add IPV6/32 instead of IPV6/128
"errorMessage": "Update failed, invalid CIDR block: cannot parse IPV6/32 as a CIDR"
Thanks
log-parser.py lambda function requires the Env variable REQUEST_PER_MINUTE_LIMIT to function correctly.
The LambdaWAFLogParserFunction within aws-waf-security-automations.template is missing the REQUEST_PER_MINUTE_LIMIT ENV variable.
Environment:
Variables:
OUTPUT_BUCKET: !Ref AccessLogBucket
IP_SET_ID_BLACKLIST: !If [AlbEndpoint, !GetAtt AlbStack.Outputs.WAFBlacklistSet, !GetAtt CloudFrontStack.Outputs.WAFBlacklistSet]
IP_SET_ID_AUTO_BLOCK: !If [AlbEndpoint, !GetAtt AlbStack.Outputs.WAFScannersProbesSet, !GetAtt CloudFrontStack.Outputs.WAFScannersProbesSet]
BLACKLIST_BLOCK_PERIOD: !Ref WAFBlockPeriod
ERROR_PER_MINUTE_LIMIT: !Ref ErrorThreshold
SEND_ANONYMOUS_USAGE_DATA: !FindInMap ["Solution", "Data", "SendAnonymousUsageData"]
UUID: !GetAtt CreateUniqueID.UUID
LIMIT_IP_ADDRESS_RANGES_PER_IP_MATCH_CONDITION: '10000'
MAX_AGE_TO_UPDATE: '30'
REGION: !Ref 'AWS::Region'
LOG_TYPE: !If [AlbEndpoint, 'alb', 'cloudfront']
METRIC_NAME_PREFIX: !Join ['', !Split ['-', !Ref 'AWS::StackName']]
LOG_LEVEL: !FindInMap ["Solution", "Data", "LogLevel"]
STACK_NAME: !Ref 'AWS::StackName
Also the aws-waf-security-automations.template is missing a parameter to set the REQUEST_PER_MINUTE_LIMIT for the LambdaWAFLogParserFunction.
Hi, I am getting a:
Creating CloudFormation stack failed: ValidationError: Template format error: Unrecognized resource types: [AWS::WAFRegional::IPSet, AWS::WAFRegional::WebACL, AWS::WAFRegional::Rule, AWS::WAFRegional::XssMatchSet, AWS::WAFRegional::SqlInjectionMatchSet]
with the alb template. Any idea ?
There's an issue with setting the S3 client region in the custom-resource.py file when using older buckets in eu-west-1 region.
We need to change this:
if response['LocationConstraint'] == None:
response['LocationConstraint'] = 'us-east-1'
if response['LocationConstraint'] != region:
raise Exception('Bucket located in a different region. S3 bucket and Log Parser Lambda (and therefore, you CloudFormation Stack) must be created in the same Region.')
To
if response['LocationConstraint'] == None:
response['LocationConstraint'] = 'us-east-1'
if response['LocationConstraint'] == 'EU':
response['LocationConstraint'] = 'eu-west-1'
if response['LocationConstraint'] != region:
raise Exception('Bucket located in a different region. S3 bucket and Log Parser Lambda (and therefore, you CloudFormation Stack) must be created in the same Region.')
see the S3 region constraints located here: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
eu-west-1 is a special case which can return either eu-west-1 or EU as a location constraint.
Is IPv6 on the road map?
How do I choose the region for the ACL and rules, right now it uses cloudfront (global) but I need to use it on ALB in us-east.
Hi im trying to deploy this waf template into Asia Pacific (Sydney) i have an s3 bucket which im trying to reference also located in Sydney.
I notice getting an error each time trying to create the i keep getting this error i have tried a few combinations of different bucket names along with leaving the ALB Access Log Bucket Name blank
| 23:38:47 UTC+0800 | CREATE_FAILED | AWS::Lambda::Function | LambdaWAFLogParserFunction | 1 validation error detected: Value '%%BUCKET_NAME%%-ap-southeast-2' at 'code.s3Bucket' failed to satisfy constraint: Member must satisfy regular expression pattern: ^[0-9A-Za-z.-_]*(?<!.)$ (Service: AWSLambda; Status Code: 400; Error Code: ValidationException; Request ID: 455c7f61-b834-11e8-8b0f-ed15de923720) |
|---|
solved.
If the existing stack has CrossSiteScriptingProtectionParam set to "yes", changing it to "no" and updating the stack results in an error:
DELETE_FAILED | AWS::CloudFormation::ManagedCustomResource | WAFXssRule | This entity is still referenced by other entities. (Service: AWSWAFRegional; Status Code: 400; Error Code: WAFReferencedItemException; Request ID: eb82f55e-e65b-11e7-852c-f5cacd8acf32)
However the stack ends in an UPDATE_COMPLETE state with reason "Update successful. One or more resources could not be deleted." and the XSS rule is still enabled in the WebACL and must be manually removed.
Hi, I've been making use of this template to setup WAF for our project and It's been super helpful.
I still have many questions and would love to learn more about how the whole app is setup.
I also saw that this solution is part of newly released https://aws.amazon.com/solutions/
So I was wondering , if there's plans for any office hours like some other AWS services have? Or a Webinar where we can ask questions etc.
When i try to use this template
https://s3.amazonaws.com/solutions-reference/aws-waf-security-automations/latest/aws-waf-security-automations-alb.template
in the Sydney Region I get the following error
Template validation error: Template format error: Unrecognized resource types: https://forums.aws.amazon.com/
I can use it in other regions.
Does anyone know why this is ?
when the s3 bucket does not have a aws-waf-security-automations-current-blocked-ips.json file log-parser.py failes with:
[merge_current_blocked_requesters] Error merging data
An error occurred (403) when calling the HeadObject operation: Forbidden
The experience is positive so far but a lot of time is lost investigating false errors. For example the first Lambda error I noticed in CW logs was An error occurred (403) when calling the HeadObject operation: Forbidden but this is simply because there is no file named aws-waf-security-automations-current-blocked-ips.json in the bucket. Then I started seeing errors like [send_anonymous_usage_data] Error to get Num Allowed Requests, etc.
This is just caused by code using errors as expected code behavior and reporting them as true errors. This is an excellent package but the error handling should be improved to provide a better experience. Hunting ghosts because you see lots of errors and don't know which can be ignored is not fun.
I am interested to add notifications when changes are made to the Auto-Block list. I can do it by editing the code and adding optional support for SNS notifications or I can try using CW Events to call yet another Lambda function to filter events I am interested in and then use SNS.
Solution #1 is easiest but makes it harder to deploy updates of the waf-automation code
Solution #2 is decoupled but requires more work and a second CF template is needed for deployment
Is there a third solution I have not thought of? Or can #1 be added as an option to the waf-automation code? It seems a natural fit to me
Got this error:
An error occurred (InvalidArgument) when calling the PutBucketNotificationConfiguration operation: Configuration is ambiguously defined. Cannot have overlapping suffixes in two rules if the prefixes are overlapping for the same event type.
Have no clue what this means but I think its not able to create the s3 events on that bucket. The bucket aleady exists. This CFN template has an input parameter for a bucket on s3 for alb logging - I give that but this thing doesn't work.
Hello
I have try to running your script but I get the error below
$ ./build-s3-dist.sh thientran.logs
rm -rf dist
mkdir -p dist
Staring to build distribution
------------------------------------------------------------------------------
Updating Templates
------------------------------------------------------------------------------
cp -f aws-waf-security-automations.template dist
cp -f aws-waf-security-automations-alb.template dist
Updating code source bucket in template with thientran.logs
sed -i '' -e s/%%BUCKET_NAME%%/thientran.logs/g dist/aws-waf-security-automations.template
sed: can't read : No such file or directory
sed -i '' -e s/%%BUCKET_NAME%%/thientran.logs/g dist/aws-waf-security-automations-alb.template
sed: can't read : No such file or directory
------------------------------------------------------------------------------
[Packing] Log Parser
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[Packing] Access Handler
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[Packing] IP Lists Parser
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[Packing] Custom Resource
------------------------------------------------------------------------------
Hello, using WAF Regional stack for a few days, and found this on LambdaWAFLogParserFunction log:
[merge_current_blocked_requesters] Calculate Last Update Age
[merge_current_blocked_requesters] Download current blocked IPs
[merge_current_blocked_requesters] Expire Block IP rules
[merge_current_blocked_requesters] Error merging 140.119.169.126 rule
can't subtract offset-naive and offset-aware datetimes
[merge_current_blocked_requesters] End
It seems to me that this project is not a good choice at all for anybody to use aside from as an example and PoC. There are multiple reasons I say this:
It is a good example of what could be done with AWS WAF, however I have found myself on more than one occasional dealing with clients who believe that this repo is the best choice for them to roll out AWS WAF simply based off AWS blog promoting it. I believe that this is creating a maintenance risk in these organisations, who also end up spending significant time patching in their own changes to this repo instead of starting from a clean slate.
The point of submitting this Issue is to see if AWS will alter their Blog and/or README to clearly state this this is an example only and to recommend that customers use something a bit more fit for purpose based on their actual needs.
Updating WAF stack v2.1 with v2.2.0 fails and rolls back:
21 Dec 2018 19:34:54 play-ids-WAFStack-1B0FJLMDJIWAP UPDATE_ROLLBACK_IN_PROGRESS The following resource(s) failed to update: [CreateUniqueID].
21 Dec 2018 19:34:53 CreateUniqueID UPDATE_FAILED Modifying service token is not allowed.
After deploying the updated WAF template to test out some changes, I decided to delete it. This failed when it got to WAFReputationListsSet1 and WAFReputationListsSet2 with the message Operation would result in exceeding resource limits.
Although I can't find a limit for this in the documentation or AWS WAF Limits, the rumour online is that there is a limit of 1000 CIDRs per create, update or delete. So it would appear that CloudFormation when going to delete the IPSet deletes all of the IPs in the IPSet first, then deletes the IPSet itself, which is a problem because the reputation lists seem to have over 1000 ips in them.
Curious if you have a suggestion of best practice to use the WAF security automation with CloudFront pointing at a ALB instance?
Should I install the WAF security automations only on the ALB, only on CloudFront, or on both CloudFront and the ALB?
Leaning toward CloudFront & ALB since an attacker could potentially see the cname value that CloudFront uses.
Thanks for any insight/suggestions!
btw, if this is better asked at stackoverflow or similar, I'm happy to move it there
if you change the WAF default action in the cloudformation the WAF is initially created with that default action but it is then overrridden when custom-resource.py runs.
response = waf.update_web_acl(
WebACLId=web_acl_id,
ChangeToken=waf.get_change_token()['ChangeToken'],
Updates=updates,
DefaultAction={'Type': 'ALLOW'}
)
Can the line be removed so this confusion is removed and the cloudformation value is honored?
When disabling the bad bot feature the stack fails to deploy because of an ApiGatewayBadBot dependency. I believe the BadBotProtectionActivated contition should be used also on the ApiGatewayBadBotResource
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.