Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to version v4.0.6 #276

Merged
merged 1 commit into from
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 15 additions & 11 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [4.0.6] - 2024-12-17

### Changed

- Update the lambda to python 3.12

### Fixed

- Added a check for payload for logging before sanitizing and logging [Github issue 274](https://github.com/aws-solutions/aws-waf-security-automations/issues/274)

## [4.0.5] - 2024-10-24

### Changed
Expand All @@ -15,13 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [4.0.4] - 2024-09-23

### Fixed
- Patched dependency version of `requests` to `2.32.3` to mitigate [CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651)
- Pinned all dependencies to specific versions for reproducable builds and enable security scanning
- Allow to install latest version of `urllib3` as transitive dependency

## [4.0.4] - 2024-09-23

### Fixed
- Patched dependency version of `requests` to `2.32.3` to mitigate [CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651)
- Pinned all dependencies to specific versions for reproducable builds and enable security scanning
- Allow to install latest version of `urllib3` as transitive dependency
Expand Down Expand Up @@ -53,7 +57,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Added support for 10 new AWS Managed Rules rule groups (AMR)
- Added support for country and URI configurations in HTTP Flood Athena log parser
- Added support for user-defined S3 prefix for application access log bucket
- Added support for CloudWatch log retention period configuration
- Added support for CloudWatch log retention period configuration
- Added support for multiple solution deployments in the same account and region
- Added support for exporting CloudFormation stack output values
- Replaced the hard coded amazonaws.com with {AWS::URLSuffix} in BadBotHoneypot API endpoint
Expand Down Expand Up @@ -94,9 +98,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added

- Added support for configuring oversize handling for requests components
- Added support for configuring sensitivity level for SQL injection rule
- Added support for configuring sensitivity level for SQL injection rule

## [3.2] - 2021-09-22
## [3.2.0] - 2021-09-22

### Added

Expand All @@ -106,15 +110,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Bug fixes

## [3.1] - 2020-10-22
## [3.1.0] - 2020-10-22

### Changed

- Replaced s3 path-style with virtual-hosted style
- Added partition variable to all ARNs
- Updated bug report

## [3.0] - 2020-07-08
## [3.0.0] - 2020-07-08

### Added

Expand Down
86 changes: 46 additions & 40 deletions NOTICE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -10,45 +10,51 @@ specific language governing permissions and limitations under the License.
**********************
THIRD PARTY COMPONENTS
**********************

This software includes third party software subject to the following copyrights:

freezegun under the Apache Software License
boto3 under the Apache Software License
botocore under the Apache Software License
Mock under the BDS License
moto under the Apache Software License
pytest under the MIT License
pytest-mock under the MIT License
pytest-cov under the MIT License
pytest-env under the MIT License
pyparsing under the MIT License
pytest-runner under the MIT License
uuid under the MIT License
backoff under the MIT License
requests under the Apache Software License
certifi under the Mozilla Public License
charset_normalizer under the Apache Software License
python-dateutil under the Apache Software License and BSD License
inda under the BSD License
urllib3 under the MIT License
jmespath under the MIT License
s3transfer under the Apache Software License
cryptography under the Apache Software License and BSD License
Werkzeug under the BSD-3-Clause
xmltodict under the MIT License
responses under the Apache-2.0
Jinja2 under the BSD License
pycparser under the BSD License
pyyaml under the MIT License
attrs under the MIT License
pluggy under the MIT License
iniconfig under the MIT License
exceptiongroup under the MIT License
packaging under the Apache Software License and BSD License
tomli under the MIT License
coverage under the Apache Software License
cffi under the MIT License
six under the MIT License
types-PyYAML under the Apache Software License
MarkupSafe under the BSD-3-Clause
typing_extensions under the PSF License and BSD License
aws-lambda-powertools under the MIT license.
backoff under the MIT license.
boto3 under the Apache-2.0 license.
botocore under the Apache-2.0 license.
certifi under the MPL-2.0 license.
cffi under the MIT license.
charset-normalizer under the MIT license.
colorama under the 0BSD license.
coverage under the Apache-2.0 license.
cryptography under the Apache-2.0 license.
idna under the 0BSD license.
iniconfig under the MIT license.
jinja2 under the 0BSD license.
jmespath under the MIT license.
markupsafe under the 0BSD license.
moto under the Apache-2.0 license.
packaging under the Apache-2.0 license.
pluggy under the MIT license.
pycparser under the 0BSD license.
pytest under the MIT license.
pytest-cov under the MIT license.
pytest-env under the MIT license.
pytest-mock under the MIT license.
pytest-runner under the MIT license.
python-dateutil under the Apache-2.0 license.
pyyaml under the MIT license.
requests under the Apache-2.0 license.
responses under the Apache-2.0 license.
s3transfer under the Apache-2.0 license.
six under the MIT license.
typing-extensions under the PSF-2.0 license.
urllib3 under the MIT license.
werkzeug under the 0BSD license.
xmltodict under the MIT license.
freezegun under the Apache-2.0 license.
pyparsing under the MIT license.

********************
OPEN SOURCE LICENSES
********************

0BSD - https://spdx.org/licenses/0BSD.html
Apache-2.0 - https://spdx.org/licenses/Apache-2.0.html
MPL-2.0 - https://spdx.org/licenses/MPL-2.0.html
PSF-2.0 - https://spdx.org/licenses/PSF-2.0.html
31 changes: 13 additions & 18 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
- [File Structure](#file-structure)
- [License](#license)

<a name="solution-overview"></a>
---

# Solution overview

Expand All @@ -26,14 +26,11 @@ You can install this solution in your AWS accounts by launching the provided AWS

For a detailed solution implementation guide, refer to Solution Landing Page [Security Automations for AWS WAF](https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf).

<a name="architecture-diagram"></a>
---

# Architecture diagram

<p align="center">
<img src="source/image/architecture_diagram.png">
<br/>
</p>
![Diagram](source/image/architecture_diagram.png)

*Security Automations for AWS WAF architecture*

Expand All @@ -49,18 +46,17 @@ The components of this solution can be grouped into the following areas of prote
* **IP Reputation Lists (H)** – This component is the IP Lists Parser Lambda function that checks third-party IP reputation lists hourly for new ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.
* **Bad Bot (I)** – This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.

<a name="customizing-the-solution"></a>
---


# Customizing the solution

<a name="prerequisites-for-customization"></a>

## Prerequisites for customization

- [AWS Command Line Interface](https://aws.amazon.com/cli/)
- Python 3.10

<a name="build"></a>
- Python 3.12
- Poetry

## Build

Expand Down Expand Up @@ -120,7 +116,6 @@ cd <rootDir>/deployment
chmod +x ./build-s3-dist.sh && ./build-s3-dist.sh $TEMPLATE_OUTPUT_BUCKET $DIST_OUTPUT_BUCKET $SOLUTION_NAME $VERSION
```

<a name="upload-deployment-assets"></a>

## Upload deployment assets

Expand All @@ -131,7 +126,6 @@ aws s3 cp ./deployment/regional-s3-assets s3://$DIST_OUTPUT_BUCKET-$AWS_REGION/$

**Note:** You must use a proper ACL and profile for the copy operation as applicable. Using randomized bucket names is recommended.

<a name="deploy"></a>

## Deploy

Expand All @@ -140,13 +134,13 @@ aws s3 cp ./deployment/regional-s3-assets s3://$DIST_OUTPUT_BUCKET-$AWS_REGION/$

**Note:** When deploying the template for your CloudFront endpoint, you can launch it only from the `us-east-1` Region.

<a name="file-structure"></a>
---

# File structure

This project consists of microservices that facilitate the functional areas of the solution. These microservices are deployed to a serverless environment in AWS Lambda.

<pre>
```
|-deployment/ [folder containing templates and build scripts]
|-source/
|-access_handler/ [microservice for processing bad bots honeypot endpoint access. This AWS Lambda function intercepts the suspicious request and adds the source IP address to the AWS WAF block list]
Expand All @@ -158,15 +152,16 @@ This project consists of microservices that facilitate the functional areas of t
|-log_parser/ [microservice for processing access logs searching for suspicious behavior and add the corresponding source IP addresses to an AWS WAF block list]
|-reputation_lists_parser/ [microservice for processing third-party IP reputation lists and add malicious IP addresses to an AWS WAF block list]
|-timer/ [creates a sleep function for cloudformation to pace the creation of ip_sets]
</pre>
```

<a name="Collection of operational metrics"></a>
---

# Collection of operational metrics

This solution collects anonymized operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/reference.html).

<a name="license"></a>

---

# License

Expand Down
17 changes: 9 additions & 8 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
Reporting Security Issues
-------------------------------------------------------------------------------------------------------------------------------------------------
We take all security reports seriously. When we receive such reports, we will investigate and
subsequently address any potential vulnerabilities as quickly as possible. If you discover a potential
security issue in this project, please notify AWS/Amazon Security via
our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or
directly via email to [AWS Security](mailto:aws-security@amazon.com). Please do not create a public GitHub issue in this
project.
## Reporting Security Issues

We take all security reports seriously. When we receive such reports,
we will investigate and subsequently address any potential vulnerabilities as
quickly as possible. If you discover a potential security issue in this project,
please notify AWS/Amazon Security via our [vulnerability reporting page]
(http://aws.amazon.com/security/vulnerability-reporting/) or directly via email
to [AWS Security](mailto:aws-security@amazon.com).
Please do *not* create a public GitHub issue in this project.
2 changes: 1 addition & 1 deletion deployment/aws-waf-security-automations-webacl.template
Original file line number Diff line number Diff line change
Expand Up @@ -430,7 +430,7 @@ Resources:
Code:
S3Bucket: !Join ['-', [!FindInMap ["SourceCode", "General", "SourceBucket"], !Ref 'AWS::Region']]
S3Key: !Join ['/', [!FindInMap ["SourceCode", "General", "KeyPrefix"], 'timer.zip']]
Runtime: python3.10
Runtime: python3.12
MemorySize: 128
Timeout: 300
Environment:
Expand Down
18 changes: 9 additions & 9 deletions deployment/aws-waf-security-automations.template
Original file line number Diff line number Diff line change
Expand Up @@ -1472,7 +1472,7 @@ Resources:
LOG_LEVEL: !FindInMap ["Solution", "Data", "LogLevel"]
SCOPE: !If [AlbEndpoint, 'REGIONAL', 'CLOUDFRONT']
USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
Runtime: python3.10
Runtime: python3.12
MemorySize: 128
Timeout: 300
Metadata:
Expand Down Expand Up @@ -1798,7 +1798,7 @@ Resources:
METRICS_URL: !FindInMap [Solution, Data, MetricsURL]
USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
Version: "%VERSION%"
Runtime: python3.10
Runtime: python3.12
MemorySize: 512
Timeout: 300
Metadata:
Expand Down Expand Up @@ -1830,7 +1830,7 @@ Resources:
KEEP_ORIGINAL_DATA: !Ref KeepDataInOriginalS3Location
ENDPOINT: !Ref EndpointType
USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
Runtime: python3.10
Runtime: python3.12
MemorySize: 512
Timeout: 300
Metadata:
Expand Down Expand Up @@ -1859,7 +1859,7 @@ Resources:
Variables:
LOG_LEVEL: !FindInMap ["Solution", "Data", "LogLevel"]
USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
Runtime: python3.10
Runtime: python3.12
MemorySize: 512
Timeout: 300
Metadata:
Expand Down Expand Up @@ -1892,7 +1892,7 @@ Resources:
IP_RETENTION_PERIOD_DENIED_MINUTE: !Ref IPRetentionPeriodDeniedParam
REMOVE_EXPIRED_IP_LAMBDA_ROLE_NAME: !Ref LambdaRoleRemoveExpiredIP
USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
Runtime: python3.10
Runtime: python3.12
MemorySize: 128
Timeout: 300
Metadata:
Expand Down Expand Up @@ -1925,7 +1925,7 @@ Resources:
METRICS_URL: !FindInMap [Solution, Data, MetricsURL]
USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
Version: "%VERSION%"
Runtime: python3.10
Runtime: python3.12
MemorySize: 512
Timeout: 300
Metadata:
Expand Down Expand Up @@ -2107,7 +2107,7 @@ Resources:
Code:
S3Bucket: !Join ['-', [!FindInMap ["SourceCode", "General", "SourceBucket"], !Ref 'AWS::Region']]
S3Key: !Join ['/', [!FindInMap ["SourceCode", "General", "KeyPrefix"], 'reputation_lists_parser.zip']]
Runtime: python3.10
Runtime: python3.12
MemorySize: 512
Timeout: 300
Environment:
Expand Down Expand Up @@ -2215,7 +2215,7 @@ Resources:
STACK_NAME: !Ref 'AWS::StackName'
USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
Version: "%VERSION%"
Runtime: python3.10
Runtime: python3.12
MemorySize: 128
Timeout: 300
Metadata:
Expand Down Expand Up @@ -2409,7 +2409,7 @@ Resources:
USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
Version: "%VERSION%"
UUID: !GetAtt CreateUniqueID.UUID
Runtime: python3.10
Runtime: python3.12
MemorySize: 128
Timeout: 300
Metadata:
Expand Down
Loading