search

aws-samples / amazon-guardduty-waf-acl

AWS GD2ACL
https://aws.amazon.com/blogs/security/how-to-use-amazon-guardduty-and-aws-web-application-firewall-to-automatically-block-suspicious-hosts/
MIT No Attribution
56 stars 40 forks source link

GuardDutytoACL-GuardDutytoACLDDBTable not updated with new rule #3

Closed e86h90 closed 5 years ago

e86h90 commented 5 years ago

The cloudwatch logs report information similar to the following:

[INFO] 2019-02-11T18:07:14.908Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- delete rule 74, from NACL acl-f5785d9d.

Soon followed by:

[INFO] 2019-02-11T18:07:15.125Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- add new rule 74, HostIP 184.105.247.194, to NACL acl-f5785d9d. [INFO] 2019-02-11T18:07:15.125Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- rule count for NACL acl-f5785d9d is 9.

When I review the Network ACLs, I see the new entry. However, when I review the dynamodb state table the entry is not in the table and the rule count does not agree with the log.

I do not see any errors in the cloudwatch log indicating any issue with connecting or writing to the dynamodb table.

Is there any sort of optimization that needs to be made to the code to guarantee that the dynamodb state table is updated?

The out of sync state table entries cause problems in subsequent invocations of the lambda function.

I am finding I have to manually adjust the NACL entries daily to keep the Network ACL list and the dynamodb state table in sync.

cgulliver commented 5 years ago

Have you tried removing all entries in the DDB table and the associated NACL(s)? Can you confirm there is only a single instance of the solution running? Can you also share the logging info from the pruning Lambda function?

e86h90 commented 5 years ago

As a test I set the Reserve Concurrency of the GuardDutytoACL-GuardDutytoACLLambda to 1. Throttling the lambda function in this manner has resolved the issue I have been having. The dynamodb state table and the Network ACL list have been in sync ever since.

cgulliver commented 5 years ago

Thanks for the update.

cgulliver commented 5 years ago

We have updated the Lambda code for this sample. A simple way to test is delete the associated entries in NACL's, WAF IP Sets and clear the DDB table, then replace the code in the lambda functions GuardDutytoACL-GuardDutytoACLLambda and GuardDutytoACL-PruneOldEntriesLambda with the new code... https://github.com/aws-samples/amazon-guardduty-waf-acl/tree/master/lambda. Would greatly appreciate feedback if this resolves your issue or not.