aws-samples / amazon-guardduty-waf-acl Goto Github PK
View Code? Open in Web Editor NEWAWS GD2ACL
License: MIT No Attribution
AWS GD2ACL
License: MIT No Attribution
Would it be possible to update this to work with the new WAF console? I have an existing ACL created with the new console that I would like to use the IP set with.
Thanks for your work on this!
For Organizations that have all their findings aggregated to a central security account it would be awesome (AWSome?) to support managing the VPCs NACLs in those other accounts by leveraging an IAM role.
We have an issue with this. Sometimes we get NACLs with the same IP address and some missing records in Dynamo DB. For example:
and
if I review the Dynamo Table this is what I get
I have already change lambda concurrency to 1.
Below Cloudwatchlogs
13:07:02
START RequestId: 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Version: $LATEST
13:07:02
[INFO] 2019-03-27T18:07:02.288Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 log -- Event: {"version": "0", "id": "24f964e2-345a-d941-3b50-125a6c6d857b", "detail-type": "GuardDuty Finding", "source": "aws.guardduty", "account": "xxxxxxxxxxxx", "time": "2019-03-27T18:07:00Z", "region": "us-east-2", "resources": [], "detail": {"schemaVersion": "2.0", "accountId": "xxxxxxxxxx", "region": "us-east-2", "part
13:07:02
[INFO] 2019-03-27T18:07:02.410Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Found credentials in environment variables.
13:07:03
[INFO] 2019-03-27T18:07:03.311Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Starting new HTTPS connection (1): ec2.us-east-2.amazonaws.com
13:07:03
[INFO] 2019-03-27T18:07:03.611Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 entering update_nacl, netacl_id=acl-7b4a1c12, host_ip=81.22.45.144
13:07:03
[INFO] 2019-03-27T18:07:03.951Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Starting new HTTPS connection (1): dynamodb.us-east-2.amazonaws.com
13:07:04
[INFO] 2019-03-27T18:07:04.469Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Starting new HTTPS connection (1): ec2.us-east-2.amazonaws.com
13:07:04
[ERROR] 2019-03-27T18:07:04.749Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Something went wrong.
13:07:04
An error occurred (NetworkAclEntryAlreadyExists) when calling the CreateNetworkAclEntry operation: The network acl entry identified by 81 already exists.: ClientError Traceback (most recent call last): File "/var/task/lambda_function.py", line 488, in lambda_handler response = update_nacl(netacl_id=NetworkAclId,host_ip=HostIp, region=Region) File "/var/task/lambda_function.py", line 308, i
13:07:04
END RequestId: 7943a5b4-4aa5-476a-ac7e-76fb34efeef4
What could be happening? Struggling with this issue several weeks ago and can't find a solution.
Thanks,
Hello,
The code adds WAF rules based on the "ipAddressV4" json element.
My question is how I can be sure that the ipAddressV4 address is not a NAT generated address and by blocking it, I may block a valid customer that will be using the same IP in the future?
Thank you
Uri
The cloudwatch logs report information similar to the following:
[INFO] 2019-02-11T18:07:14.908Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- delete rule 74, from NACL acl-f5785d9d.
Soon followed by:
[INFO] 2019-02-11T18:07:15.125Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- add new rule 74, HostIP 184.105.247.194, to NACL acl-f5785d9d.
[INFO] 2019-02-11T18:07:15.125Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- rule count for NACL acl-f5785d9d is 9.
When I review the Network ACLs, I see the new entry. However, when I review the dynamodb state table the entry is not in the table and the rule count does not agree with the log.
I do not see any errors in the cloudwatch log indicating any issue with connecting or writing to the dynamodb table.
Is there any sort of optimization that needs to be made to the code to guarantee that the dynamodb state table is updated?
The out of sync state table entries cause problems in subsequent invocations of the lambda function.
I am finding I have to manually adjust the NACL entries daily to keep the Network ACL list and the dynamodb state table in sync.
Hi Guys,
I believe there is a bug in the script. When it receives the IP's for a scan they come in as an array. But the script only seems to be blocking the first IP in the array.
This is the offending line:
HostIp = event["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["ipAddressV4"]
portProbeDetails is actually an array of remoteIpDetails that contains more than just one entry. You probably need to loop through this array to block all of the offending IPs. Otherwise you are going to miss a whole bunch of IPs that are attacking you.
I'll attach a patch that I've made but you will probably find a more elegant way to do it with better error handling than my code.
Cheers!
It will be great to have an option to deploy this solution to other regions aside from us-east-1.
it seems resource block should have [] and under that both the resource sould be mentioned
{
"Action": [
"wafv2:GetIPSet",
"wafv2:UpdateIPSet"
],
"Resource": "arn:aws:wafv2:us-east-1:xxxxxxxxxxxxx:global/ipset/CloudFrontBlocklistIPSetV4-xxxxxx/xxxxxxxxxxxx, arn:aws:wafv2:us-east-1:xxxxxxx:regional/ipset/RegionalBlocklistIPSetV4-xxxxxx/xxxxxxxxxxxxxxx",
"Effect": "Allow"
}
I am trying to update existing WebACL with new IPSet by passing the existing "IPSet Id" in ALBIpSetId parameter and passing "false" for CloudFrontIPSetId. The expected behavior should update the existing WebACL with new IPSet rules. But, the actual behavior creates new WebACL.
The following snippet (line numbers from code) shows that resources ALBBlacklistIPSet, ALBBlacklistIPSetRule and ALBBlacklistWebACL are created instead of updating even if I pass ALBIPSetId in parameter to update. These resources should look for condition CreateALBWebACL instead of CreateCloudFrontWebACL.
267 ALBBlacklistIPSet:
268 Condition: CreateCloudFrontWebACL
277 ALBBlacklistIPSetRule:
278 Condition: CreateCloudFrontWebACL
290 ALBBlacklistWebACL:
291 Condition: CreateCloudFrontWebACL
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.