Easily improve the security of your web applications with aws firewall factory. Protect your valuable assets with seamless WAF deployment, updates, and staging, all efficiently managed centrally with Firewall Manager.
Home Page: https://docs.aws-firewall-factory.com/
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
use the Pricing API to calculate prices for the waf which will be deployed
Describe the bug
Currently we are not able to calculate an WCU for a Firewall with an orstatement within andstatement.
How to reproduce it
Statements:
statement: { andStatement: { statements: [ { orStatement: { statements: [ { labelMatchStatement: { scope: "LABEL", key: "awswaf:managed:aws:core-rule-set:SizeRestrictions_Body" } }, { labelMatchStatement: { scope: "LABEL", key: "awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body" } } ] } }, { orStatement: { statements: [ { notStatement: { statement: { regexMatchStatement: { regexString: "(/oauth2/callback/saml|/api/ce/submit|/api/qualityprofiles/restore)", fieldToMatch: { uriPath: {} }, textTransformations: [{ priority: 0, type: "LOWERCASE" }] } } } }, { notStatement: { statement: { regexMatchStatement: { regexString: "(POST)", fieldToMatch: { method: {} }, textTransformations: [{ priority: 0, type: "NONE" }] } } } } ] } } ] } },
Expected behaviour
Calculation is working
Please fill in the following information about the solution:.
According to docs Rate Limiting Statement add support configure evaluation window.
With this feature enhancement, users would be able to specify the evaluation window duration according to their specific needs. The update offers predefined options of 1, 2, 5, and 10 minutes for the evaluation window duration. This customization empowers users to align the AWS WAF configuration more precisely with their application requirements and security policies.
Importance and Impact:
While this update may not directly accelerate the detection of large concentrated DDoS attacks, it significantly enhances the capability to mitigate distributed attacks. By reducing the evaluation window from the previous 5-minute interval, users can now swiftly respond to anomalous traffic patterns, making it harder for distributed attacks to evade detection.
{
"PreProcessRuleGroups": {
"Custom": [
],
"Managed": [
]
},
"PostProcessRuleGroups": {
"Custom": [
],
"Managed": [
]
}
}
Add possibility to use RuleLabels
Describe the bug
While deploying the stack the following warning appears:
[WARNING] aws-cdk-lib.aws_lambda.FunctionOptions#logRetention is deprecated.
instead create a fully customizable log group with `logs.LogGroup` and use the `logGroup` property to instruct the Lambda function to send logs to it.
Migrating from `logRetention` to `logGroup` will cause the name of the log group to change.
Users and code and referencing the name verbatim will have to adjust.
In AWS CDK code, you can access the log group name directly from the LogGroup construct:
"
declare const myLogGroup: logs.LogGroup;
myLogGroup.logGroupName;
"
This API will be removed in the next major release.
How to reproduce it
Just deploy a stack.
Expected behaviour
No warnings, as they indicate that in the next major CDK release the deployment will break.
Please fill in the following information about the solution:.
Screenshots.
Waiting for support - see:
Describe the bug
ProcessProperties for DeployedRuleGroups will be always written into DeployedRuleGroupNames. So The redeploy of changed capcacity is not working anymore correctly.
eg.:
{ Capacity: 350, DeployedRuleGroupCapacities: [], DeployedRuleGroupIdentifier: [], DeployedRuleGroupNames: [ '347' ], RuleCapacities: [], ManagedRuleGroupCount: 7, ManagedRuleBotControlCount: 1, ManagedRuleATPCount: 0, CustomRuleCount: 13, CustomRuleGroupCount: 0, CustomCaptchaRuleCount: 0 }
Expected behaviour
{ Capacity: 350, DeployedRuleGroupCapacities: ['347'], DeployedRuleGroupIdentifier: ['test123'], DeployedRuleGroupNames: [ 'test123' ], RuleCapacities: [], ManagedRuleGroupCount: 7, ManagedRuleBotControlCount: 1, ManagedRuleATPCount: 0, CustomRuleCount: 13, CustomRuleGroupCount: 0, CustomCaptchaRuleCount: 0 }
Please fill in the following information about the solution:.
We would like to add also the possibility to provision Network Firewalls with the AWS Firewall Factory.
Useful Links:
https://github.com/aws-samples/aws-network-firewall-automation-examples/tree/main
Hi!
I'm trying aws-firewall-factory out for automating the deployment of WAF rules accross multiple account in my org. The problem is that I got stuck on the following error:
# vboufleur @ wiipo161 in ~/Development/vboufleur/aws-firewall-factory on git:master x [19:00:52]
$ REGION=us-east-1 task deploy config=owasptopten
๐ท Version: 3.1.1
๐ค AWS Account used:
115131055398
๐ CDK deployment region:
us-east-1
/home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8
const response = new exceptionCtor({
^
ValidationError: Stack with id WIIPO-WAF-OWASPTOPTEN-DEV-C02E5EAD7FCC5F66B9B7B06E6A1B856D does not exist
at throwDefaultError (/home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:18:39
at de_DescribeStacksCommandError (/home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/client-cloudformation/dist-cjs/protocols/Aws_query.js:1575:12)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:14:20
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/middleware-retry/dist-cjs/retryMiddleware.js:27:46
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26
at Object.setOutputsFromStack (/home/vboufleur/Development/vboufleur/aws-firewall-factory/lib/tools/helpers.ts:183:25)
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/bin/aws-firewall-factory.ts:114:11
I tried searching in the files for the root cause of the error but I was not able to. What could cause this error?
Similarly to the settings for accounts in scope, the settings that you provide for resources determine which in-scope resource types to apply the policy to. You can choose one of the following:
All resources
Resources that have all of the tags that you specify
All resources except those that have all of the tags that you specify
For more information about tagging your resources, see Working with Tag Editor.
I've got the same error again, after bootstraping CDK in the account, creating the logging bucket and checking the config. Can you please help me to debug it?
I'm using CDK v2, as v1 will be deprecated soon. Could this be the cause of the error? Here's a message from AWS:
This is the AWS CDK v2 Developer Guide. The older CDK v1 entered maintenance on June 1, 2022 and will now receive only critical bug fixes and security patches. New features will be developed for CDK v2 exclusively. Support for CDK v1 will end entirely on June 1, 2023.
Checking the config:
# vboufleur @ wiipo161 in ~/Development/vboufleur/aws-firewall-factory on git:master x [12:19:46] C:130
$ REGION=us-east-1 task validateconfig config=owasptopten
Your config values/owasptopten.json is valid.
The config JSON:
{
"General": {
"Prefix": "wiipo",
"Stage": "dev",
"S3LoggingBucketName": "sre-firewall-factory-logs-dev",
"CreateDashboard": true,
"DeployHash": "c02e5ead7fcc5f66b9b7b06e6a1b856d",
"FireHoseKeyArn": "arn:aws:kms:us-east-1:115131055398:key/6e343b5b-8f8a-454d-925d-ef166007b9a8",
"SecuredDomain": [
"dev.wiipo.com",
"albsp.wiipo.com"
]
},
"WebAcl": {
"Name": "owasptopten",
"Scope": "REGIONAL",
"Type": "AWS::ApiGatewayV2::Api",
"IncludeMap": {
"account": [
"115131055398"
]
},
"PreProcess": {
"ManagedRuleGroups": [
{
"Vendor": "AWS",
"Name": "AWSManagedRulesAmazonIpReputationList",
"Version": "",
"Capacity": 25
},
{
"Vendor": "AWS",
"Name": "AWSManagedRulesAnonymousIpList",
"Version": "",
"Capacity": 50
},
{
"Vendor": "AWS",
"Name": "AWSManagedRulesBotControlRuleSet",
"Version": "",
"Capacity": 50
},
{
"Vendor": "AWS",
"Name": "AWSManagedRulesCommonRuleSet",
"Version": "",
"Capacity": 700
},
{
"Vendor": "AWS",
"Name": "AWSManagedRulesKnownBadInputsRuleSet",
"Version": "",
"Capacity": 200
},
{
"Vendor": "AWS",
"Name": "AWSManagedRulesSQLiRuleSet",
"Version": "",
"Capacity": 200
}
]
},
"PostProcess": {}
}
}
The error:
# vboufleur @ wiipo161 in ~/Development/vboufleur/aws-firewall-factory on git:master x [12:17:34]
$ REGION=us-east-1 task deploy config=owasptopten
๐ท Version: 3.1.1
๐ค AWS Account used:
115131055398
๐ CDK deployment region:
us-east-1
/home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8
const response = new exceptionCtor({
^
ValidationError: Stack with id WIIPO-WAF-OWASPTOPTEN-DEV-C02E5EAD7FCC5F66B9B7B06E6A1B856D does not exist
at throwDefaultError (/home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:18:39
at de_DescribeStacksCommandError (/home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/client-cloudformation/dist-cjs/protocols/Aws_query.js:1575:12)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:14:20
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/middleware-retry/dist-cjs/retryMiddleware.js:27:46
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26
at Object.setOutputsFromStack (/home/vboufleur/Development/vboufleur/aws-firewall-factory/lib/tools/helpers.ts:183:25)
at /home/vboufleur/Development/vboufleur/aws-firewall-factory/bin/aws-firewall-factory.ts:114:11
Subprocess exited with error 1
task: Failed to run task "deploy": task: Failed to run task "cdkdeploy": exit status 1
Here's the parameters of the CloudFormation stack I used for for bootstraping CDK in the account:
This is the template for bootstraping the CDK that I used: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
Hi!
Just a quick question, I've seen that in the firewall-stack.ts file the prop overrideCustomerWebACLAssociation is set to true. I've searched the SecurityServicePolicyData docs but I've found no explanation about it there.
What exactly does it mean? What happens when it's set to true? I'm asking to check how it'll affect the WAF rules in my accounts. If I see I need it to be set to false I'll send you a PR that adds a option to parametrize this value.
Thanks!
Waiting for https://github.com/mhlabs/cfn-diagram/issues/74 to be solved.
Is your feature request related to a problem? Please describe.
add warning for: You cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.
Is your feature request related to a problem? Please describe.
A clear and concise description of the problem. For example. I'm always frustrated when [...].
Describe the feature you'd like
A clear and concise description of what it is that you want to happen.
Additional context
Here you can add any other context or screenshots you have about the feature request.
Describe the bug
A clear and concise description of what the bug is.
How to reproduce it
The FW factory does not include notStatements in the calculation of IPSets or RegexPatternSets.
If it is still present in the code, an error is thrown:
'$fault': 'client',
'$metadata': {
httpStatusCode: 400,
requestId: 'a06d5aae-6eb1-4a3a-bf47-cfbd59da41df',
extendedRequestId: undefined,
cfId: undefined,
attempts: 1,
totalRetryDelay: 0
},
Field: 'RESOURCE_ARN',
Parameter: 'xxxxxx',
Reason: "The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes.",
__type: 'WAFInvalidParameterException'
}
Subprocess exited with error 1
task: Failed to run task "deploy": exit status 1Code adjustment in the file lib/tools/helpers.ts
The notStatements must be calculated here.
Line 362
And later it must be checked whether the NotStatement contains a statement with a reference to an IPSet or RegexPatternSet
Expected behaviour
WCU should be calculated using workaround without API.
Please fill in the following information about the solution:.
we want to use https://github.com/wallarm/gotestwaf to add a automatic report of tests for the waf after deployment.
We would like to use Chatbot to enable Alarming for specific metrics, whenever they reached a threshold we would like to get a notification to Team or Slack.
Add Dashboard Cost Calculation
Is your feature request related to a problem? Please describe.
Create Amazon managed Grafana Dashboards as alternative for CloudWatch Dashboard. This visualization will help you with threat intelligence, hardening rules, troubleshooting false positives, and faster incident response.
Additional context
Why I try to run valiedateconfig it fails beacuas of the missing config-loader.ts
Hi team,
The podcast link in the README (https://github.com/richarvey/aws-community-radio/issues/3) links to a deleted Github issue.
And I've registered for the linked webinar (https://globaldatanet.com/webinars/managing-aws-web-application-firewalls-at-scale), but I haven't received a link to watch it yet. Is it available anywhere else to watch?
Describe the feature you'd like
We would like to add an table to the prerequisite Stack for the FMS S3 logs in Athena using partition projection.
Because AWS WAF logs have a known structure whose partition scheme you can specify in advance, you can reduce query runtime and automate partition management by using the Athena partition projection feature. Partition projection automatically adds new partitions as new data is added.
Describe the feature you'd like
Instead of doing the waf test locally, it would be nice to put the waf testing into a lambda function which will be automatically invoked after a waf with testing enabled was updated. The reports can be saved into an s3 bucket.
The file mentioned leads to a 404 page.
aws-firewall-factory/README.md
Line 144 in a4d4f89
Hi,
I tried the simplest way for bootstraping the CDK in my AWS env, but it is failing due to not finding the cdk.out/manifest.json file:
I'm going to have to bootstrap the CDK manually with a CloudFormation template, but it is full of parameters that I don't understand fully, so I'm going to have to experiment and see if it works for this repo.
What do you think about adding the cdk.out/manifest.json file to the repo? It would make the bootstraping process way easier for those of us that aren't that experienced in working with AWS.
Below are the parameters for bootstraping CDK with a CloudFormation file. I'll try it out, but if you could help me with this, for example, by saying which minimum permissions and parameters are strictly required, it'll help me a lot.
We would like to use Chatbot to enable Alarming for specific metrics, whenever they reached a threshold we would like to get a notification to Team or Slack.
The firewall manager policy description should be configurable per policy.
Describe the bug
A clear and concise description of what the bug is.
How to reproduce it
Steps to reproduce the behaviour.
Expected behaviour
A clear and concise description of what you expect to happen.
Please fill in the following information about the solution:.
Screenshots.
If applicable, add screenshots to help explain your problem (please do NOT include sensitive information).
Additional context
Add any other context to the issue here.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.