Releases: globaldatanet/aws-firewall-factory
Releases · globaldatanet/aws-firewall-factory
4.6.0
Added
- Automated IP Set Management: The AutoUpdatedManagedIpSet feature now supports automated management of IP sets through AWS Firewall Factory.
- Easy Configuration: Simply provide a URL pointing to a JSON file and specify the key containing the CIDRs you want to include in your IP sets.
- Automated Scheduling: IP sets are updated based on a predefined schedule, ensuring up-to-date protection without manual intervention. The IP set will only be updated if new CIDRs are detected in the downloaded JSON file. If the file is empty or the CIDRs are unchanged, no update will occur.
- Rollback Support: The IP addresses of IP sets are stored in SSM Parameter Store, allowing for easy rollback to previous versions as needed.
- CloudWatch Monitoring: When an IP set is updated in the latest schedule, a metric labeled "ManagedIpSets" in the "AWS-Firewall-Factory" namespace is set to 1 for that specific IP set. This enables you to configure a CloudWatch alarm for real-time notifications.
- Restructured Enums and Configuration Files: Improved code organization by separating and reorganizing enums and configuration settings into service- and stack-specific files. This restructuring enhances maintainability and simplifies dependency management. 🚨 Note: You will need to update the imports in your value files. 🚨
Updated
- @aws-sdk/client-cloudfront: Updated from 3.637.0 to 3.682.0
- @aws-sdk/client-config-service: Updated from 3.637.0 to 3.682.0
- @aws-sdk/client-ec2: Updated from 3.641.0 to 3.682.0
- @aws-sdk/client-s3: Updated from 3.637.0 to 3.682.0
- @aws-sdk/client-secrets-manager: Updated from 3.637.0 to 3.682.0
- @aws-solutions-constructs/aws-eventbridge-stepfunctions: Updated from 2.65.0 to 2.74.0
- @babel/traverse: Updated from 7.25.6 to 7.25.9
- @slack/types: Updated from 2.12.0 to 2.14.0
- @types/aws-lambda: Updated from 8.10.143 to 8.10.145
- @types/lodash: Updated from 4.17.7 to 4.17.7
- @types/node: Updated from 22.5.0 to 22.8.4
- @typescript-eslint/eslint-plugin: Updated from 8.3.0 to 8.12.2
- @typescript-eslint/parser: Updated from 8.3.0 to 8.12.2
- @typescript-eslint/typescript-estree: Updated from 8.3.0 to 8.12.2
- adaptivecards: Updated from 3.0.4 to 3.0.4
- axios: Updated from 1.7.5 to 1.7.7
- cdk-sops-secrets: Updated from 1.13.1 to 1.13.4
- eslint: Updated from 8.57.0 to 8.57.1
- eslint-plugin-import: Updated from 2.29.1 to 2.31.0
- npm: Updated from 10.8.2 to 10.9.0
4.5.1
Added
- Renamed Type: Changed the type name WafConfig to wafConfig in the Config module to follow naming conventions and improve consistency across the codebase.
- Change the ManagedRuleGroup interface, to extends the wafv2.CfnWebACL.ManagedRuleGroupStatementProperty.
- Changed structure in lib and improved Documentation, extended jsdoc with examples.
Fixed
- Corrected the regex pattern for IPSet descriptions to ensure accurate validation
- Fixed Bug on IPSet capacity check
- Bump aws-cdk: 2.148.0 to 2.154.1
- Bump aws-cdk-lib: ^2.148.0 to ^2.150.0
- Bump @aws-sdk/client-cloudformation: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-cloudfront: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-cloudwatch: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-config-service: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-ec2: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-fms: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-pricing: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-s3: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-secrets-manager: ^3.606.0 to ^3.637.0
- Bump @aws-sdk/client-service-quotas: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-shield: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-iam: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-ssm: 3.606.0 to 3.637.0
- Bump @aws-sdk/client-wafv2: 3.606.0 to 3.637.0
- Bump @aws-solutions-constructs/aws-eventbridge-stepfunctions: ^2.60.0 to ^2.65.0
- Bump @babel/traverse: ^7.24.7 to ^7.25.4
- Bump @types/node: ^20.14.9 to ^22.5.0
- Bump @types/aws-lambda: ^8.10.140 to ^8.10.143
- Bump @types/lodash: 4.17.6 to 4.17.7
- Bump axios: ^1.7.2 to ^1.7.5
- Bump cdk-sops-secrets: ^1.12.0 to ^1.13.1
- Bump cfonts: ^3.2.0 to ^3.3.0
- Bump constructs: 10.2.0 to 10.3.0
- Bump lodash: 4.17.20 to 4.17.21
- Bump npm: 10.8.1 to 10.8.2
- Bump table: ^6.8.0 to ^6.8.2
- Bump i: ^0.3.6 to ^0.3.7
- Bump typedoc-plugin-extras: ^3.0.0 to ^3.1.0
- Bump uuid: ^10.0.0 to ^10.0.0
- Bump typescript: 5.4.5 to 5.5.4
- Bump ts-jest: 29.1.5 to 29.2.5
- Bump adaptivecards: 3.0.2 to 3.0.4
- Bump aws-lambda: ^1.0.6 to ^1.0.7
4.5.0
Added
- Added support for deploying Shield Advanced policies, including the ability to calculate pricing. AWS Shield Advanced provides customized detection based on traffic patterns to your protected resources, detects and alerts on smaller DDoS attacks, and identifies application layer attacks by baselining traffic and spotting anomalies.
For Shield Advanced policies, we have introduced an Advanced Shield stack with sample configurations.
Note: If you are deploying WAF in a CI/CD environment, make sure you set your environment variable STACK_NAME for the resource you want to deploy.export STACK_NAME=PreRequisiteStack
=> _prerequisites-stack.tsexport STACK_NAME=WAFStack
=> _web-application-firewall-stack.tsexport STACK_NAME=ShieldAdvancedStack
=> _shield-advanced-stack.ts
- Add Shield Cloudwatch Dashboard - Example Shield Dashboard- The Firewall Factory is able to provision a centralized CloudWatch Dashboard.
- Add Cloudwatch Alarms: Cloudwatch Alarms are now part of the prerequisite stack and can be used to triger the SNS topics incase of DDoS.
The Dashboard shows the ammount of DDoS attacks detected - Add Grafana Dashbording - Example Grafana Dashboard- AWS Glue crawler job, an Amazon Athena table and an Amazon Athena view to build a Managed Grafana dashboard to visualize the events in near real time - This is an optional component in the Prequisite Stack.
Example Grafana Dashboard can be found here
Note:- Your need to configure Amazon Athena Data Source in Amazon Managed Grafana
- Example Role template for Cross Account Access can be found here
⚠️ You need to adjust the json and replace the uid of your grafana-athena-datasource - while importing into your Grafana.
- Your need to configure Amazon Athena Data Source in Amazon Managed Grafana
Fixed
- Bump @aws-sdk/client-cloudformation to 3.606.0
- Bump @aws-sdk/client-cloudfront to 3.606.0
- Bump @aws-sdk/client-cloudwatch to 3.606.0
- Bump @aws-sdk/client-config-service to 3.606.0
- Bump @aws-sdk/client-ec2 to 3.606.0
- Bump @aws-sdk/client-fms to 3.606.0
- Bump @aws-sdk/client-pricing to 3.606.0
- Bump @aws-sdk/client-s3 to 3.606.0
- Bump @aws-sdk/client-iam to 3.606.0
- Bump @aws-sdk/client-secrets-manager to 3.606.0
- Bump @aws-sdk/client-service-quotas to 3.606.0
- Bump @aws-sdk/client-shield to 3.606.0
- Bump @aws-sdk/client-ssm to 3.606.0
- Bump @aws-sdk/client-wafv2 to 3.606.0
- Bump @aws-solutions-constructs/aws-eventbridge-stepfunctions to 2.60.0
- Bump @babel/traverse to 7.24.7
- Bump @mhlabs/cfn-diagram to 1.1.40
- Bump @slack/types to 2.12.0
- Bump @types/aws-lambda to 8.10.140
- Bump @types/lodash to 4.17.6
- Bump @types/uuid to 10.0.0
- Bump adaptivecards to 3.0.4
- Bump aws-cdk-lib to 2.148.0
- Bump axios to 1.7.2
- Bump cdk-sops-secrets to 1.12.0
- Bump cfonts to 3.3.0
- Bump npm to 10.8.1
- Bump table to 6.8.2
- Bump uuid to 10.0.0
- Bump @types/node to 20.14.9
- Bump @typescript-eslint/eslint-plugin to 7.14.1
- Bump @typescript-eslint/parser to 7.14.1
- Bump aws-cdk to 2.147.2
- Bump ts-jest to 29.1.5
4.3.1
Added
- Issue#365 UnutilizedWafs - Implemented automated identification and notification system in Firewall Factory to manage unused WAFs, leveraging Lambda and notification services to streamline infrastructure, optimize costs, and enhance security by addressing WAF sprawl proactively and ensuring efficient resource utilization.
- Added example IAM Role which can be used for ci-cd deployments
Fixed
- Issue#380 Fixes on the CloudWatch dashboard.
- Restructure Lambda code with ShareComonents to reduce code duplicates
- Using cdk-sops-secrets now for all Webhooks - see WebHookSecretDefinition:
{
WebhookUrl: string
Messenger: "Slack" | "Teams"
}
- Adding missing: Optional Lambda function to prerequisite Stack that send notifications about potential DDoS activity for protected resources to messengers (Slack/Teams) - [AWS Shield Advanced] - this was removed while migrating lambdas from python to typescript
- Bump @aws-sdk/client-cloudformation from 3.554.0 to 3.556.0
- Bump @aws-sdk/client-cloudfront from 3.568.0 to 3.577.0
- Bump @aws-sdk/client-cloudwatch from 3.554.0 to 3.556.0
- Bump @aws-sdk/client-config-service from 3.568.0 to 3.577.0
- Bump @aws-sdk/client-ec2 from 3.568.0 to 3.577.0
- Bump @aws-sdk/client-fms from 3.554.0 to 3.577.0
- Bump @aws-sdk/client-pricing from 3.554.0 to 3.556.0
- Bump @aws-sdk/client-s3 from 3.569.0 to 3.577.0
- Bump @aws-sdk/client-service-quotas from 3.554.0 to 3.577.0
- Bump @aws-sdk/client-shield from 3.554.0 to 3.556.0
- Bump @aws-sdk/client-ssm from 3.554.0 to 3.577.0
- Bump @aws-sdk/client-wafv2 from 3.554.0 to 3.556.0
- Bump aws-cdk from 2.137.0 to 2.142.0
- Bump aws-cdk-lib from 2.137.0 to 2.142.0
- Bump @typescript-eslint/eslint-plugin from 7.6.0 to 7.9.0
- Bump @typescript-eslint/parser from 7.6.0 to 7.9.0
- Bump @types/lodash from 4.17.0 to 4.17.1
4.3.0
Added
- Allow reusing ipsets with same name. This commit differentiate ipsets from different FMS configs by adding the name of the webacl to it. Without this commit, trying to run aws-firewall-factory for two configs which uses a ipset with the same name would give a error on CloudFormation ('IpSet with name x already exists') - (Add Name of web application firewall to the IPSet Name) -
⚠️ Existing IPsets will be replaced during next update. - CheckCapacity: see which rule failed. This commit helps a lot by immediately letting us know which rule failed capacity checking and requires fixes
- Save chars on ManagedServiceData FMS prop. The ManagedServiceData has a hard limit of 8192 characters. I've asked AWS about raising it and they said that this is a hard limit and they can't raise it. This commit is for saving as much chars as we can out of the ManagedServiceData prop, for squeezing in our rules (even if they have a ton of RuleActionOverrides on them)
- Values: allow async code. This adds a dynamic import of the firewall config for enabling people that want to run async code on then, ensuring that all async code will run during the import
- Issue#317 Evaluation time windows for request aggregation with rate-based rules. You can now select time windows of 1 minute, 2 minutes or 10 minutes, in addition to the previously supported 5 minutes.
- Extend Guidance Helper to check for valid Evaluation time windows.
- CustomRule StatementType is now part of the log Capacity Table
Fixed
- RateBasedStatement.CustomKeys is a array of objects, not a object
- Recursive code for adding RateBasedStatement.ScopeDownStatement. The prop ScopeDownStatement of RateBasedStatements can have And, Or and Not statements, just like any other Statement. Without this fix, deploying RateBasedStatements with complex ScopeDownStatements fails on capacity checking.
- Don't enforce update if EnforceUpdate prop is not defined. If its not defined, set
EnforceUpdate
tofalse
. - Enhance the enumcheck to handle API throttling by adding sleep functionality.
- Bumped Jest from version 29.7.0 to 29.7.0
- Bumped TypeScript from version 5.3.3 to 5.4.5
- Bumped ESLint from version 8.56.0 to 8.56.0
- Bumped Axios from version 1.6.5 to 1.6.8
- Bumped @typescript-eslint/parser and @typescript-eslint/eslint-plugin from version 6.19.0 to 7.6.0
- Bumped AWS CDK from version 2.121.1 to 2.137.0
- Bumped @aws-sdk/client-cloudformation, @aws-sdk/client-cloudwatch, @aws-sdk/client-fms, @aws-sdk/client-pricing, @aws-sdk/client-service-quotas, @aws-sdk/client-shield, @aws-sdk/client-ssm, and @aws-sdk/client-wafv2 from version 3.490.0 to 3.554.0
- Removed redundant declaration of "@typescript-eslint/eslint-plugin" and "@typescript-eslint/parser" dependencies.
- Removed redundant declaration of "@types/lodash" dependency.
- Added missing comma after TypeScript version 5.3.3 in devDependencies.
- Add CDK ToolKit StackName to cdk diff using taskfile - Sometimes the following error occurred if the template is more than 50kb in size this was because the cdk toolkit stackname was not set.
- eg.: The template for stack "YOURSTACKNAME" is 64KiB. Templates larger than 50KiB must be uploaded to S3.
4.2.3
Added
- Initial release of Enum Checker script. Implemented functionality to check for new Labels and Rules available for Managed Rule Groups. Provides clear output indicating any new Labels or Rules discovered.
- Issue#295 - Optional Athena table added to Prerequisites stack: Introducing support for the Athena WAF (web application firewall) log table. Users can now easily query and analyse WAF log data using Athena. Gain insight into web application security events, including blocked requests, allowed traffic and threat patterns.
Fixed
- Issue293 Warning on task deploy: "aws-cdk-lib.aws_lambda.FunctionOptions#logRetention is deprecated." - We are creating now a fully customizable log group with
logs.LogGroup
.
ℹ️ Migrating fromlogRetention
tologGroup
will cause the name of the log group to change. - False Positive for Guidance: noManageRuleGroups
- Added new Labels and Rules which are available for Managed Rule Groups to enum.ts
- Bump @types/node from 20.11.5 to 20.11.19
- Bump @typescript-eslint/eslint-plugin from 6.19.0 to 7.0.0
- Bump @aws-sdk/client-wafv2 from 3.496.0 to 3.515.0
- Bump aws-cdk-lib from 2.121.1 to 2.128.0
- Bump @types/uuid from 9.0.7 to 9.0.8
4.2.2
Added
- Guidance Helper v1: This Helper is designed to provide comprehensive assistance in implementing Best Practices for AWS Firewalls. Additionally, it addresses Issue279, ensuring a more robust and effective implementation. Guidances have severities: ℹ️ - can be adapted,
⚠️ should be adapted, 🚨 must be adapted - exceptions of course confirm the rules.
Fixed
- The conversion of rules from CDK to SDK for RateBasedStatement was experiencing issues, impacting the proper functioning essential for WCU Calculation. I'm pleased to inform you that this issue has been successfully addressed and resolved.
4.2.1
Fixed
- Issue285 - Resolved an issue where the redeployment of changed capacity was not functioning correctly due to inconsistencies in the writing of ProcessProperties for DeployedRuleGroups.
- Bump ts-jest from 29.1.1 to 29.1.2
- Bump @aws-sdk/client-wafv2 from 3.490.0 to 3.496.0
- Bump @aws-sdk/client-service-quotas from 3.490.0 to 3.496.0
- Bump @types/node from 20.11.4 to 20.11.5
- Bump @aws-sdk/client-pricing from 3.490.0 to 3.496.0
4.2.0
Fixed
- Output of the correct ManagedRuleGroup version if the stack has already been deployed, no version has been specifically set or Enforce Update has been set
- Restructuring helpers to facilitate smoother integration with the code, particularly for all contributors. Helpers are now seperated into different files and directories grouped by aws service / usage.
- Fixed Codesmells which where found by SonarQube
- VersionEnabled behavior fixed for ManageRuleGroups
- Python Lambda translated into typescript
- Code was improved by removing Code duplications and enriched by more comments and descriptions.
- Bump @aws-sdk/client-service-quotas from 3.427.0 to 3.490.0
- Bump @aws-sdk/client-pricing from 3.427.0 to 3.490.0
- Bump @aws-sdk/client-shield from 3.433.0 to 3.490.0
- Bump @aws-sdk/client-cloudformation from 3.428.0 to 3.490.0
- Bump @aws-sdk/client-cloudwatch from 3.427. to 3.490.0
- Bump @aws-sdk/client-fms from 3.427.to 3.490.0
- Bump @aws-sdk/client-wafv2 from 3.427.0 to 3.490.0
- Bump @types/node 20.8.10 from to 20.11.4
- Bump @typescript-eslint/parser from 6.7.5 to 6.19.0
- Bump @typescript-eslint/eslint-plugin from 6.13.2 to 6.19.0
- Bump aws-cdk-lib from 2.100.0 to 2.121.1
- Bump eslint from 8.53.0 to 8.56.0
- Bump ts-node from 10.9.1 to 10.9.2
- Bump typescript from 5.2.2 to 5.3.3
- Bump @types/lodash from 4.14.178 to 4.14.202
- Bump constructs from 10.2.25 to 10.3.0
- Bump typedoc-plugin-keywords from 1.5.0 to 1.6.0
4.1.6
Fixed
- Fixed Region addression in CloudWatch expressions for Dashboard
- Bump @types/aws-lambda from 8.10.124 to 8.10.130
- Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.13.2
Added
- Add Optional setting to Config OverrideCustomerWebACLAssociation - Decide if FMS should replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy - Default is False
- Add Optional setting to Config awsManagedRulesBotControlRuleSetProperty - Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet . See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesbotcontrolruleset.html
- Add Optional setting to Config awsManagedRulesACFPRuleSetProperty - Details for your use of the account creation fraud prevention managed rule group, AWSManagedRulesACFPRuleSet. See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html
- Add Optional setting to Config awsManagedRulesATPRuleSetProperty - Details for your use of the account takeover prevention managed rule group, AWSManagedRulesATPRuleSet. See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesatpruleset.html