Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cloudfront): support WAF security protections #32021

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat(cloudfront): support WAF security protections #32021

wants to merge 8 commits into from

Conversation

phuhung273
Copy link
Contributor

@phuhung273 phuhung273 commented Nov 5, 2024
edited
Loading

Issue # (if applicable)

Closes #31737

Reason for this change

  • Support WAF one-click security protections

Description of changes

  • Add enableWafCoreProtections boolean to use default WAF security option

Description of how you validated changes

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team November 5, 2024 09:06
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Nov 5, 2024
@phuhung273 phuhung273 marked this pull request as draft November 5, 2024 09:06
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Nov 5, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Nov 5, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@phuhung273 phuhung273 force-pushed the cloudfront-enable-waf branch from c6c0cda to 48b4c10 Compare November 9, 2024 17:19
@phuhung273 phuhung273 marked this pull request as ready for review November 9, 2024 17:19
@phuhung273 phuhung273 changed the title feat(cloudfront): Support WAF security protections feat(cloudfront): support WAF security protections Nov 9, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review November 9, 2024 17:26

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 9, 2024
@gshpychka
Copy link
Contributor

Doesn't the WebACL have to be deployed in us-east-1?

@phuhung273
Copy link
Contributor Author

Doesn't the WebACL have to be deployed in us-east-1?

Yes of course for CloudFront. According to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html

image

@gshpychka
Copy link
Contributor

So what happens if the distribution isn't in us-east-1?

@phuhung273
Copy link
Contributor Author

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

@gshpychka
Copy link
Contributor

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

@phuhung273
Copy link
Contributor Author

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope.

But if we want to associate an ACM certificate to the Distribution, this ACM certificate is required to stay in us-east-1.

@gshpychka
Copy link
Contributor

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope.

But if we want to associate an ACM certificate to the Distribution, this ACM certificate is required to stay in us-east-1.

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

@phuhung273
Copy link
Contributor Author

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

No, the CfnWebACL wont fail. With scope=CloudFront, it goes to Global. We can check it at WAF > WebACLs

image

@phuhung273
Copy link
Contributor Author

@gshpychka youre rite, lemme have a test deploying entire stack to another region

@phuhung273 phuhung273 force-pushed the cloudfront-enable-waf branch from 48b4c10 to 6fe8d5e Compare November 19, 2024 15:09
@phuhung273
Copy link
Contributor Author

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

Thanks so much for pointing that out. You're absolutely right. Confirm that enableWafCoreProtections fail to deploy if used outside of us-east-1 .

Looking through Issues, found this similar one #6242.

Added validation to ensure new flag cannot be used outside us-east-1

@gracelu0 gracelu0 added the needs-security-review Related to feature or issues that needs security review label Nov 20, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 79a5f29
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@github-actions github-actions bot mentioned this pull request Dec 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-security-review Related to feature or issues that needs security review p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws_cloudfront: add support for one-click security protections to Distribution
4 participants
@phuhung273 @gshpychka @aws-cdk-automation @gracelu0