Skip to content

Commit

Permalink
Merge pull request #178 from goyertp/master
Browse files Browse the repository at this point in the history
Update aws-firewall-factory 4.1.0
  • Loading branch information
daknhh authored Sep 19, 2023
2 parents f05bec2 + 704846f commit d5404d0
Show file tree
Hide file tree
Showing 17 changed files with 491 additions and 256 deletions.
62 changes: 33 additions & 29 deletions .eslintrc
Original file line number Diff line number Diff line change
Expand Up @@ -7,36 +7,40 @@
"extends": [
"eslint:recommended",
"plugin:@typescript-eslint/eslint-recommended",
"plugin:@typescript-eslint/recommended",
"plugin:@typescript-eslint/recommended-requiring-type-checking"
"plugin:@typescript-eslint/recommended"
],
"parserOptions": {
"project": true
},
"rules": {
"semi": ["error", "always"],
"indent": ["error", 2, { "SwitchCase": 1 }],
"semi": [2, "always"],
"eqeqeq": 2,
"indent": [2, 2, {"SwitchCase": 1}],
"quotes": ["error", "double"],
"@typescript-eslint/naming-convention": [
"error",
{
"selector": ["variableLike", "method"],
"format": ["strictCamelCase"]
},
{
"selector": ["variable"],
"format": ["UPPER_CASE"],
"modifiers": ["const","global"],
"types": ["array", "boolean", "number", "string"]
},
{
"selector": ["class","interface","enum", "typeParameter", "typeAlias"],
"format": ["StrictPascalCase"]
},
{
"selector": ["enumMember"],
"format": ["UPPER_CASE"]
}
]
"linebreak-style": "off",
"array-bracket-newline": "off",
"array-bracket-spacing": ["error", "never"],
"no-trailing-spaces": "off",
"padded-blocks": "off",
"arrow-body-style": "off",
"init-declarations": "off",
"comma-dangle": "off",
"keyword-spacing": [0, {"before": true, "after": true, "overrides": null}],
"prefer-template": "off",
"id-blacklist": "off",
"no-console": "off",
"no-sync": "off",
"complexity": "off",
"max-statements": "off",
"array-element-newline": "off",
"object-curly-spacing": "off",
"template-curly-spacing": "off",
"camelcase": "off",
"no-use-before-define": "off",
"id-length": "off",
"id-match": "off",
"max-len": "off",
"no-magic-numbers": "off",
"no-underscore-dangle": "off",
"no-process-env": "off",
"func-style": ["error", "declaration", { "allowArrowFunctions": true }],
"no-useless-escape": "off"
}
}
}
20 changes: 20 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,27 @@
# Change Log

## Released
## 4.1.0

### Added
- This update presents a new feature that centralizes the management of RegexPatternSet. With this improvement, manual updates of regexpatternset across multiple AWS accounts are no longer necessary.
Users can now define the feature in code and replicate it for use by WAF rules wherever applicable.
- Additionally, cdk destroy has been included in the taskfile.
- Furthermore, we have modified several enums to enhance their ease of with previous versions: use while maintaining downward compatibility, such as
- WebAclScope
- AwsManagedRules
- ManagedRuleGroupVendor
- CustomResponseBodiesContentType
- WebAclTypeEnum
- uuidFirewallFactoryResourceIdentitfier: Introducing a firewall identifier UUID that will be utilized for resource names in AWS.

### Fixed
- Capacity and version information for Managed Rule Groups are now optional. We calculate the capacity on the fly, so specifying capacity is unnecessary. If no version is provided, we will retrieve the latest version for the Managed Rule Group using the API.
- DeliveryStreamName not checked - Erroneous if exceeding 64 character limit [source](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesisfirehose-deliverystream.html#cfn-kinesisfirehose-deliverystream-deliverystreamname).
- Fixed nonfunctional documentation links.

### Removed
- Export names from CloudFormation stack outputs, as we rely on the stack name and output names from the particular CloudFormation stack to obtain the necessary information.
## 4.0.0
### Added
- A custom resource to retrieve the latest version of the ManagedRuleGroup and check if the specified version is valid.
Expand Down
34 changes: 34 additions & 0 deletions Deployment.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
## 🛡️ Deployment

### ⚙️ Prerequisites
1. [Organizations trusted access with Firewall Manager](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-fms.html)
2. [Taskfile](https://taskfile.dev/)
3. [AWS CDK](https://aws.amazon.com/cdk/)
4. [cfn-dia](https://www.npmjs.com/package/@mhlabs/cfn-diagram?s=03)
5. Invoke `npm i` to install dependencies
6. ⚠️ Before installing a stack to your aws account using aws cdk you need to prepare the account using a [cdk bootstrap](https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html)

7. (Optional) If you want to use CloudWatch Dashboards - You need to enable your target accounts to share CloudWatch data with the central security account follow [this](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html#enable-cross-account-cross-Region) to see how to do it.
8. Assume AWS Profile `awsume PROFILENAME`
9. (Optional) Enter `task generateprerequisitesconfig`

| Parameter | Value |
| ------------- | ------------- |
| Prefix | Prefix for all Resources |
| BucketName [^1] | Name of the S3 Bucket |
| KmsEncryptionKey | true or false |
| ObjectLock - Days [^1]| A period of Days for ObjectLock |
| ObjectLock - Mode [^1]| COMPLIANCE or GOVERNANCE |
| FireHoseKey - KeyAlias [^1] | Alias for Key |
| CrossAccountIdforPermissions [^1] | Id of AWS Account for CrossAccount Permission for Bucket and KMS Key(s)|

10. Enter `task deploy config=NAMEOFYOURCONFIGFILE prerequisite=true`


### 🏁 Deployment via Taskfile

1. Create new ts file for you WAF and configure Rules in the Configuration (see [owasptopten.ts](values/examples/owasptop10.ts) to see structure) or use enter `task generate-waf-skeleton`

2. Assume AWS Profile `awsume / assume PROFILENAME`
3. (Optional) Enter `task generate-waf-skeleton`
4. Enter `task deploy config=NAMEOFYOURCONFIGFILE`
80 changes: 80 additions & 0 deletions Features.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
## 🧩 Features

1. Automated capactiy calculation via [API - CheckCapacity](https://docs.aws.amazon.com/waf/latest/APIReference/API_CheckCapacity.html)

2. Algorithm to split Rules into RuleGroups

3. Automated update of RuleGroup if capacity changed

4. Add [ManagedRuleGroups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) via configuration file

5. Automated generation of draw.io [diagram](https://app.diagrams.net/) for each WAF

6. Checking of the softlimit quota for [WCU](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html) set in the AWS account (stop deployment if calculated WCU is above the quota)

7. Easy configuration of WAF rules trough Typescript file.

8. Deploy same WAF more than once for testing and/or blue/green deployments.

9. Stopping deployment if soft limit will be exceeded: **Firewall Manager policies per organization per Region (L-0B28E140)** - **Maximum number of web ACL capacity units in a web ACL in WAF for regional (L-D9F31E8A)**

10. You can name your rules. If you define a name in your RulesArray, the name + a Base36 timestamp will be used for the creation of your rule - otherwise a name will be generated. This will help you to query your logs in Athena.

11. Support for Captcha - You can add Captcha as an action to your WAFs. This helps you block unwanted bot traffic by requiring users to successfully complete challenges before their web request are allowed to reach AWS WAF protected resources. AWS WAF Captcha is available in the US East (N. Virginia), US West (Oregon), Europe (Frankfurt), South America (Sao Paulo), and Asia Pacific (Singapore) AWS Regions and supports Application Load Balancer, Amazon API Gateway, and AWS AppSync resources.

12. Added S3LoggingBucketName to Configuration. You need to specify the S3 Bucket where logs should be placed in. We also added a prefix for the logs to be AWS conform (Prefix: AWSLogs/*AWS_ACCOUNTID*/FirewallManager/*AWS_REGION*/).

13. Added testing your WAF with [GoTestWAF](https://github.com/wallarm/gotestwaf). To be able to check your WAF we introduced the **SecuredDomain** parameter in the Configuration (which should be your domain) which will be checked using the WAF tool.

14. TaskFileParameters:

| Parameter | Value |
|--------------------|----------------------------------------------------------------------------------------------|
| SKIP_QUOTA_CHECK | true (Stop deployment if calculated WCU is above the quota) </br> false (Skipping WCU Check) |
| WAF_TEST | true (testing your waf with GoTestWAF) </br> false (Skipping WAF testing) |
| CREATE_DIAGRAM | true (generating a diagram using draw.io) </br> false (Skipping diagram generation) |
| PREQUISITES | true (deploys Prerequisites Stack) </br> false (deployment of WAF) |
| TOOL_KIT_STACKNAME | To Specify The name of the bootstrap stack ([see Bootstrapping your AWS environment](https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-bootstrap)) |

15. Validation of your ConfigFile using schema validation - if you miss a required parameter in your config file the deployment will stop automatically and show you the missing path.

16. PreProcess- and PostProcessRuleGroups - you can decide now where the Custom or ManagedRules should be added to.

- New Structure see [example Configuration](./values/examples).

17. RuleLabels - A label is a string made up of a prefix, optional namespaces and a name. The components of a label are delimited with a colon. Labels have the following requirements and characteristics:

- Labels are case-sensitive.

- Each label namespace or label name can have up to 128 characters.

- You can specify up to five namespaces in a label.

- Components of a label are separated by a colon ( : ).

18. While Deployment the Price for your WAF will be calculated using the Pricing API

19. Dashboard - The Firewall Factory is able to provision a CloudWatch Dashboard per Firewall.
The Dashboard shows:
- Where the WAF is deployed to [AWS Region and Account(s)]
- Which resource type you are securing
- Which Managed Rule Groups in which version are in use
- Link to Managed Rule Groups documentation
- Direct Link to your secured Application / Endpoint
- AWS Firewall Factory version
- Check if the AWS Firewall Factory version is the latest or not during rollout
- Allowed / Blocked and Counted Requests
- Bot vs Non-bot Requests

See example:
![FirewallDashboard](./static/FirewallDashboard.jpg)

20. Example Configurations
1. Example WAF Configuration againts: [OWASP Top Ten](https://owasp.org/www-project-top-ten/)
2. Example Configuration for Prerequisite Stack
3. Function to generate Skeleton for WAF Configuration

21. Centralized IPSets management - No more we'll have to be manually updating ipsets across multiple AWS accounts, it can be defined in code and replicated for use by WAF rules everywhere its needed. Check the examples for defining ipsets and using them in the WebACLs on `values/examples/ip-sets-managed-test.ts`.

22. Centralized management of RegexPatternSets - No longer will there be a need for manual updates of RegexPatternSets across multiple AWS accounts. These can now be defined in code and replicated for use by WAF rules wherever needed.

Loading

0 comments on commit d5404d0

Please sign in to comment.