Hello, Yes, the Launch Stack button is non-functional. I have found some workaround, so that we can create it via AWS CLI. For authentication token I have used aws sso login using the profile, you can use various methods to login using aws-cli.

I have used 3 files

cloudformation-custom-resources/common-script.py (to create s3 bucket and create zip files and upload it to S3 Bucket)
deploy_core script (This script is used to deploy Cloudformation stack by passing waf-dashboard.yaml.yaml)
waf-dashboard.yaml.yaml (In this file I have removed hardcoded names for WAFv2Modification, WAFGlobalModification, WAFRegionalModification)

1. common-script.py (this script is resides under cloudformation-custom-resources/ folder

import boto3 import sys import os

PROFILE=sys.argv[1] region = sys.argv[2]

boto3 = boto3.session.Session(profile_name=PROFILE)

print("Working on region: " + region)

bucket_prefix = "aws-waf-dashboards-" bucket_name = bucket_prefix + region

s3 = boto3.client('s3', region_name=region) if (region != 'us-east-1'): s3.create_bucket(Bucket=bucket_name, CreateBucketConfiguration={'LocationConstraint': region}) else: s3.create_bucket(Bucket=bucket_name)

cmd_1 = 'cd domain-setter-lambda; zip -r ../domain-setter-lambda.zip ; cd ..' cmd_2 = 'cd es-cognito-auth-lambda; zip -r ../es-cognito-auth-lambda.zip ; cd ..' cmd_3 = 'cd kibana-customizer-lambda; zip -r ../kibana-customizer-lambda.zip *; cd ..' os.system(cmd_1) os.system(cmd_2) os.system(cmd_3)

print("Working on region: " + region);

print("-> Uploading zip files to Bucket: " + bucket_name);

Copying domain-setter-lambda.zip

boto3.resource('s3').Bucket(bucket_name).upload_file("domain-setter-lambda.zip", 'domain-setter-lambda.zip') boto3.client('s3', region_name=region).put_object_acl(ACL='public-read',Bucket=bucket_name,Key='domain-setter-lambda.zip');

Copying es-cognito-auth-lambda.zip

boto3.resource('s3').Bucket(bucket_name).upload_file("es-cognito-auth-lambda.zip", 'es-cognito-auth-lambda.zip') boto3.client('s3', region_name=region).put_object_acl(ACL='public-read',Bucket=bucket_name,Key='es-cognito-auth-lambda.zip');

Copying kibana-customizer-lambda.zip

boto3.resource('s3').Bucket(bucket_name).upload_file("kibana-customizer-lambda.zip", 'kibana-customizer-lambda.zip') boto3.client('s3', region_name=region).put_object_acl(ACL='public-read',Bucket=bucket_name,Key='kibana-customizer-lambda.zip');

cmd_1 = 'rm domain-setter-lambda.zip' cmd_2 = 'rm es-cognito-auth-lambda.zip' cmd_3 = 'rm kibana-customizer-lambda.zip'

os.system(cmd_1) os.system(cmd_2) os.system(cmd_3)

s3 = boto3.client('s3', region_name=region)

s3.delete_object(Bucket=bucket_name,Key='domain-setter-lambda.py');

2. deploy_core(this is under the root of repository)

!/usr/bin/env bash

========================================================== configurations ===

SVC_NAME=my-waf-dashboard DataNodeEBSVolumeSize=100 ElasticSerchDomainName=waf-dashboards NodeType=m5.large.elasticsearch Email=abc@gmail.com

=============================================================== functions ===

function deploy_core_stack { PROFILE=${1} REGION=${2} TOKEN_PREFIX=${3} # optional

Create S3 Bucket and upload zip files

cd cloudformation-custom-resources python3 common-script.py ${PROFILE} ${REGION} cd ..

deploy core stack

aws cloudformation deploy --stack-name ${SVC_NAME} --template-file waf-dashboard.yaml.yaml \ --capabilities CAPABILITY_NAMED_IAM --no-fail-on-empty-changeset \ --parameter-overrides \ DataNodeEBSVolumeSize=${DataNodeEBSVolumeSize} \ ElasticSerchDomainName=${ElasticSerchDomainName} \ NodeType=${NodeType} \ UserEmail=${Email} \ --region ${REGION} \ --profile ${PROFILE}

enable core stack terminate protection

aws cloudformation update-termination-protection --stack-name ${SVC_NAME} \ --enable-termination-protection \ --region ${REGION} \ --profile ${PROFILE} > /dev/null }

============================================================= deployments ===

DEPLOY_TYPE=${1} DEPLOY_PROFILE=${2} DEPLOY_REGION=${3} DEPLOY_PREFIX=${4}

if [[ "${DEPLOY_TYPE}" == "solo" ]]; then

deploy_core_stack ${DEPLOY_PROFILE} ${DEPLOY_REGION:-us-east-1} ${DEPLOY_PREFIX:-dev}

elif [[ "${DEPLOY_TYPE}" == "nonprd" ]]; then

deploy_core_stack

3. waf-dashboard.yaml.yaml

AWSTemplateFormatVersion: "2010-09-09" Description: Sample AWS WAF Dashboard build on Amazon Elasticsearch Service.

Parameters: DataNodeEBSVolumeSize: Type: Number Default: 100 Description: Elasticsearch volume disk size

NodeType: Type: String Default: m5.large.elasticsearch Description: Elasticsearch Node Type

ElasticSerchDomainName: Type: String Default: 'waf-dashboards' AllowedPattern: "[a-z\-]*" Description: Elasticsearch domain name

UserEmail: Type: String Default: 'your@email.com' Description: Dashboard user e-mail address

Resources:

UserPoolDomainSetterLambda: Type: "AWS::Lambda::Function" Properties: Handler: "lambda_function.handler" Role: !GetAtt UserPoolDomainSetterLambdaRole.Arn Code: S3Bucket: !Join

''
- 'aws-waf-dashboards-'
  - !Ref "AWS::Region" S3Key: "domain-setter-lambda.zip" Runtime: "python3.7" MemorySize: 128 Timeout: 60
ESCognitoAuthSetterLambda: Type: "AWS::Lambda::Function" Properties: Handler: "lambda_function.handler" Role: !GetAtt ESCognitoAuthSetterLambdaRole.Arn Code: S3Bucket: !Join
''
- 'aws-waf-dashboards-'
  - !Ref "AWS::Region" S3Key: "es-cognito-auth-lambda.zip" Runtime: "python3.7" MemorySize: 128 Timeout: 900
KibanaCustomizerLambda: Type: "AWS::Lambda::Function" Properties: Handler: "lambda_function.handler" Role: !GetAtt KibanaCustomizerLambdaRole.Arn Code: S3Bucket: !Join
''
- 'aws-waf-dashboards-'
  - !Ref "AWS::Region" S3Key: "kibana-customizer-lambda.zip" Runtime: "python3.7" MemorySize: 128 Timeout: 160 Environment: Variables: REGION : !Ref "AWS::Region" ACCOUNT_ID : !Ref "AWS::AccountId"
UserPoolDomainSetterLambdaRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement:
Effect: Allow Principal: Service: lambda.amazonaws.com Action: "sts:AssumeRole" Policies:
- PolicyName: UserPoolDomainSetterPolicy PolicyDocument: Version: "2012-10-17" Statement:
  - Effect: Allow Action:
    - 'cognito-idp:CreateUserPoolDomain'
    - 'cognito-idp:DeleteUserPoolDomain'
    - 'logs:CreateLogGroup'
    - 'logs:CreateLogStream'
    - 'logs:PutLogEvents'
    - 'events:PutRule'
    - 'events:DeleteRule'
    - 'lambda:AddPermission'
    - 'events:PutTargets'
    - 'events:RemoveTargets'
    - 'lambda:RemovePermission' Resource: "*"
ESCognitoAuthSetterLambdaRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement:
Effect: Allow Principal: Service: lambda.amazonaws.com Action: "sts:AssumeRole" Policies:
- PolicyName: ESCognitoAuthSetterPolicy PolicyDocument: Version: "2012-10-17" Statement:
  - Effect: Allow Action:
    - 'es:UpdateElasticsearchDomainConfig'
    - 'es:DescribeElasticsearchDomain'
    - 'logs:CreateLogGroup'
    - 'logs:CreateLogStream'
    - 'logs:PutLogEvents'
    - 'events:PutRule'
    - 'events:DeleteRule'
    - 'lambda:AddPermission'
    - 'events:PutTargets'
    - 'events:RemoveTargets'
    - 'lambda:RemovePermission'
    - 'iam:PassRole' Resource: "*"
KibanaCustomizerLambdaRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement:
Effect: Allow Principal: Service: lambda.amazonaws.com Action: "sts:AssumeRole" Policies:
- PolicyName: KibanaCustomizerPolicy PolicyDocument: Version: "2012-10-17" Statement:
  - Effect: Allow Action:
    - 'es:UpdateElasticsearchDomainConfig'
    - 'logs:CreateLogGroup'
    - 'logs:CreateLogStream'
    - 'logs:PutLogEvents'
    - 'events:PutRule'
    - 'events:DeleteRule'
    - 'lambda:AddPermission'
    - 'events:PutTargets'
    - 'events:RemoveTargets'
    - 'lambda:RemovePermission'
    - 'iam:PassRole'
    - 'waf:ListWebACLs'
    - 'waf-regional:ListWebACLs'
    - 'waf:ListRules'
    - 'waf-regional:ListRules'
    - 'wafv2:ListWebACLs' Resource: "*"
KinesisFirehoseS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain

UserPool: Type: AWS::Cognito::UserPool Properties: UserPoolName: 'WAFKibanaUsers' AdminCreateUserConfig: AllowAdminCreateUserOnly: True UsernameAttributes:
- email AutoVerifiedAttributes:
- email Policies: PasswordPolicy: MinimumLength: 8 Schema:
- Name: email AttributeDataType: String DeveloperOnlyAttribute: false Mutable: true Required: true
IdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: "WAFKibanaIdentityPool" AllowUnauthenticatedIdentities: true

AuthenticatedPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: "2012-10-17" Statement:
Effect: "Allow" Action:
- "es:ESHttp*" Resource:
- !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/*"
AuthenticatedRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement:
Effect: Allow Action: "sts:AssumeRoleWithWebIdentity" Principal: Federated: cognito-identity.amazonaws.com Condition: StringEquals: "cognito-identity.amazonaws.com:aud": !Ref IdentityPool ForAnyValue:StringLike: "cognito-identity.amazonaws.com:amr": authenticated ManagedPolicyArns:
- !Ref AuthenticatedPolicy
CognitoAccessForAmazonESRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement:
Effect: Allow Principal: Service: es.amazonaws.com Action: "sts:AssumeRole" ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonESCognitoAccess'
RoleAttachment: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref IdentityPool Roles: authenticated: !GetAtt AuthenticatedRole.Arn

CognitoPoolUser: Type: AWS::Cognito::UserPoolUser Properties: Username: !Ref UserEmail UserPoolId: !Ref UserPool

ElasticsearchDomain: Type: AWS::Elasticsearch::Domain Properties: DomainName: !Ref ElasticSerchDomainName ElasticsearchVersion: '6.7' ElasticsearchClusterConfig: DedicatedMasterEnabled: 'false' InstanceCount: '1' InstanceType: !Ref NodeType EBSOptions: EBSEnabled: true Iops: 0 VolumeSize: !Ref DataNodeEBSVolumeSize VolumeType: 'gp2' SnapshotOptions: AutomatedSnapshotStartHour: '0' AccessPolicies: Version: "2012-10-17" Statement:
Effect: "Allow" Principal: AWS: !GetAtt AuthenticatedRole.Arn Action: "es:" Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/"
Effect: "Allow" Principal: AWS: !GetAtt KibanaCustomizerLambdaRole.Arn Action: "es:" Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/"

KinesisFirehoseDeliveryRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement:
Effect: Allow Action: 'sts:AssumeRole' Principal: Service:
- 'firehose.amazonaws.com'
KinesisFirehoseDeliveryPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: 'WAFDeliveryPolicy' Roles:
- !Ref KinesisFirehoseDeliveryRole PolicyDocument: Version: '2012-10-17' Statement:
- Sid: '' Effect: Allow Action:
  - s3:AbortMultipartUpload
  - s3:GetBucketLocation
  - s3:GetObject
  - s3:ListBucket
  - s3:ListBucketMultipartUploads
  - s3:PutObject Resource:
  - !Sub 'arn:aws:s3:::${KinesisFirehoseS3Bucket}'
  - !Sub 'arn:aws:s3:::${KinesisFirehoseS3Bucket}/*'
- Sid: '' Effect: Allow Action:
  - lambda:InvokeFunction
  - lambda:GetFunctionConfiguration Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:%FIREHOSE_DEFAULT_FUNCTION%:%FIREHOSE_DEFAULT_VERSION%'
- Sid: '' Effect: Allow Action:
  - es:DescribeElasticsearchDomain
  - es:DescribeElasticsearchDomains
  - es:DescribeElasticsearchDomainConfig
  - es:ESHttpPost
  - es:ESHttpPut Resource:
  - !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}"
  - !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/*"
- Sid: '' Effect: Allow Action:
  - es:ESHttpGet Resource:
  - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/_all/_settings'
  - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/_cluster/stats'
  - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/awswaf*/_mapping/superstore'
  - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/_nodes'
  - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/_nodes/stats'
  - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/_nodes/*/stats'
  - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/_stats'
  - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticSerchDomainName}/awswaf*/_stats'
- Sid: '' Effect: Allow Action:
  - logs:PutLogEvents Resource:
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/kinesisfirehose/waflogs:log-stream:*'
- Sid: '' Effect: Allow Action:
kinesis:DescribeStream
kinesis:GetShardIterator
kinesis:GetRecords Resource: !Sub 'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/%FIREHOSE_STREAM_NAME%'
- Effect: Allow Action:
  - kms:Decrypt Resource:
  - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/%SSE_KEY_ARN%' Condition: StringEquals: 'kms:ViaService': !Sub 's3.${AWS::Region}.amazonaws.com' StringLike: 'kms:EncryptionContext:aws:kinesis:arn': !Sub 'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/%FIREHOSE_STREAM_NAME%'
KinesisFirehoseDeliveryStream: Type: AWS::KinesisFirehose::DeliveryStream Properties: DeliveryStreamName: !Sub 'aws-waf-logs-${UserPool}' DeliveryStreamType: "DirectPut" ElasticsearchDestinationConfiguration: BufferingHints: IntervalInSeconds: "60" SizeInMBs: 5 CloudWatchLoggingOptions: Enabled: true LogGroupName: 'deliverystream' LogStreamName: 'elasticsearchDelivery' DomainARN: !GetAtt ElasticsearchDomain.Arn IndexName: 'awswaf' IndexRotationPeriod: "OneDay" TypeName: 'waflog' RetryOptions: DurationInSeconds: "60" RoleARN: !GetAtt KinesisFirehoseDeliveryRole.Arn S3BackupMode: "AllDocuments" S3Configuration: BucketARN: !Sub 'arn:aws:s3:::${KinesisFirehoseS3Bucket}' BufferingHints: IntervalInSeconds: "60" SizeInMBs: "50" CompressionFormat: "UNCOMPRESSED" Prefix: 'log/' RoleARN: !GetAtt KinesisFirehoseDeliveryRole.Arn CloudWatchLoggingOptions: Enabled: true LogGroupName: "deliverystream" LogStreamName: "s3Backup"

UserPoolDomainSetter: Type: Custom::UserPoolDomainSetterLambda DependsOn: ElasticsearchDomain Properties: ServiceToken: !GetAtt UserPoolDomainSetterLambda.Arn StackName: !Ref "AWS::StackName" UserPoolId: !Ref UserPool

ESCognitoAuthSetter: Type: Custom::ESCognitoAuthSetter DependsOn: UserPoolDomainSetter Properties: ServiceToken: !GetAtt ESCognitoAuthSetterLambda.Arn StackName: !Ref "AWS::StackName" UserPoolId: !Ref UserPool IdentityPoolId: !Ref IdentityPool RoleArn: !GetAtt CognitoAccessForAmazonESRole.Arn DomainName: !Ref ElasticSerchDomainName

KibanaCustomizer: Type: Custom::KibanaCustomizer DependsOn: UserPoolDomainSetter Properties: ServiceToken: !GetAtt KibanaCustomizerLambda.Arn StackName: !Ref "AWS::StackName" Region: !Ref "AWS::Region" Host: !GetAtt ElasticsearchDomain.DomainEndpoint AccountID: !Ref "AWS::AccountId"

KibanaUpdate: Type: "AWS::Lambda::Function" Properties: Handler: "lambda_function.update_kibana" Role: !GetAtt KibanaCustomizerLambdaRole.Arn Code: S3Bucket: !Join
''
- 'aws-waf-dashboards-'
  - !Ref "AWS::Region" S3Key: "kibana-customizer-lambda.zip" Runtime: "python3.7" MemorySize: 128 Timeout: 160 Environment: Variables: ES_ENDPOINT : !GetAtt ElasticsearchDomain.DomainEndpoint REGION : !Ref "AWS::Region" ACCOUNT_ID : !Ref "AWS::AccountId"
WAFv2Modification: Type: AWS::Events::Rule Properties: Description: WAF Dashboard - detects new WebACL and rules for WAFv2. EventPattern: source:
"aws.wafv2" detail-type:
"AWS API Call via CloudTrail" detail: eventSource:
- wafv2.amazonaws.com eventName:
- CreateWebACL
- CreateRule State: "ENABLED" Targets:
  
  Arn: !GetAtt KibanaUpdate.Arn Id: "1"
WAFGlobalModification: Type: AWS::Events::Rule Properties: Description: WAF Dashboard - detects new WebACL and rules for WAF Global. EventPattern: source:
"aws.waf" detail-type:
"AWS API Call via CloudTrail" detail: eventSource:
- waf.amazonaws.com eventName:
- CreateWebACL
- CreateRule State: "ENABLED" Targets:
  
  Arn: !GetAtt KibanaUpdate.Arn Id: "1"
WAFRegionalModification: Type: AWS::Events::Rule Properties: Description: WAF Dashboard - detects new WebACL and rules for WAF Regional. EventPattern: source:
- "aws.waf-regional" detail-type:
- "AWS API Call via CloudTrail" detail: eventSource:
  - waf-regional.amazonaws.com eventName:
  - CreateWebACL
  - CreateRule State: "ENABLED" Targets:
    
    Arn: !GetAtt KibanaUpdate.Arn Id: "1"
KibanaUpdateWAFGlobalPermission: Type: AWS::Lambda::Permission Properties: Action: 'lambda:InvokeFunction' FunctionName: !Ref KibanaUpdate Principal: "events.amazonaws.com" SourceArn: !GetAtt WAFGlobalModification.Arn

KibanaUpdateWAFv2Permission: Type: AWS::Lambda::Permission Properties: Action: 'lambda:InvokeFunction' FunctionName: !Ref KibanaUpdate Principal: "events.amazonaws.com" SourceArn: !GetAtt WAFv2Modification.Arn

KibanaUpdateWAFRegionalPermission: Type: AWS::Lambda::Permission Properties: Action: 'lambda:InvokeFunction' FunctionName: !Ref KibanaUpdate Principal: "events.amazonaws.com" SourceArn: !GetAtt WAFRegionalModification.Arn

Outputs:

DashboardLinkOutput: Description: Link to WAF Dashboard Value: !Join

''
- 'https://'
  - !GetAtt ElasticsearchDomain.DomainEndpoint
  - '/_plugin/kibana/'

To run this script be in the root of the repository and run ./deploy_core nonprd

aws-samples / aws-waf-dashboard

Bucket Access is denied #13

Copying domain-setter-lambda.zip

Copying es-cognito-auth-lambda.zip

Copying kibana-customizer-lambda.zip

s3 = boto3.client('s3', region_name=region)

s3.delete_object(Bucket=bucket_name,Key='domain-setter-lambda.py');

!/usr/bin/env bash

========================================================== configurations ===

=============================================================== functions ===

Create S3 Bucket and upload zip files

deploy core stack

enable core stack terminate protection

============================================================= deployments ===

CreateRule State: "ENABLED" Targets:

CreateRule State: "ENABLED" Targets:

CreateRule State: "ENABLED" Targets: