Closed flyingolivier closed 4 years ago
AWS Support says it has to be rewritten for WAFv2
+1
Any plans to add support for WAFv2? @stevemorad
Following this.
so far i found that we can make a simple cloudformation script for wafv2 like below. What im having trouble with is attaching the new waf to an existing or new ALB.
AWSTemplateFormatVersion: 2010-09-09 Description: WAFv2 Sample Template Resources: sampleIpSetIPv4: Type: 'AWS::WAFv2::IPSet' Properties: Name: sampleIPlistIPv4 Scope: REGIONAL IPAddressVersion: IPV4 Addresses:
- 1.1.1.1/32
- 2.2.2.2/32 sampleIpSetIPv6: Type: 'AWS::WAFv2::IPSet' Properties: Name: sampleIPlistIPv6 Scope: REGIONAL IPAddressVersion: IPV6 Addresses:
- 2001:220::/32
- 2002:220::/32 sampleRegexPatternSet: Type: AWS::WAFv2::RegexPatternSet Properties: Name: sampleRegexPatternSet Scope: REGIONAL Description: This is an sample RegexPatternSet RegularExpressionList:
- ^attacker$
- ^script$ sampleWebACL: Type: AWS::WAFv2::WebACL Properties: Name: sampleWebACL Scope: REGIONAL Description: This is an sample WebACL DefaultAction: Allow: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: sampleWebACLMetric Rules:
- Name: RuleWithAWSManagedRules Priority: 0 OverrideAction: Count: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: RuleWithAWSManagedRulesMetric Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet ExcludedRules: []
- Name: StringMatch Priority: 1 Action: Allow: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: StringMatchMetric Statement: ByteMatchStatement: FieldToMatch: AllQueryArguments: {} PositionalConstraint: CONTAINS SearchString: firefox TextTransformations:
- Priority: 1 Type: HTML_ENTITY_DECODE
- Name: BlockXssAttack Priority: 2 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: BlockXssAttackMetric Statement: XssMatchStatement: FieldToMatch: AllQueryArguments: {} TextTransformations:
- Priority: 1 Type: NONE
- Name: BlockSQLinjectionAttack Priority: 3 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: BlockSQLinjectionAttackMetric Statement: SqliMatchStatement: FieldToMatch: AllQueryArguments: {} TextTransformations:
- Priority: 1 Type: NONE
- Name: IPlistRuleIPv4 Priority: 4 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: IPlistRuleIPv4Metric Statement: IPSetReferenceStatement: Arn: !GetAtt sampleIpSetIPv4.Arn
- Name: IPlistRuleIPv6 Priority: 5 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: IPlistRuleIPv6Metric Statement: IPSetReferenceStatement: Arn: !GetAtt sampleIpSetIPv6.Arn
- Name: RegexPatternSetRule Priority: 6 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: RegexPatternSetRuleMetric Statement: RegexPatternSetReferenceStatement: Arn: !GetAtt sampleRegexPatternSet.Arn FieldToMatch: AllQueryArguments: {} TextTransformations:
- Priority: 1 Type: NONE Outputs: cfnVersion: Value: 0.1 accountId: Value: !Ref AWS::AccountId Region: Description: AWS Region Value: !Ref AWS::Region
so far i found that we can make a simple cloudformation script for wafv2 like below. What im having trouble with is attaching the new waf to an existing or new ALB.
@dontstopnowbaby - Here is a sample ALB association for a new ALB...
wafALBAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn:
!Sub
- 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/${TargetALB}'
- TargetALB: !GetAtt Alb.LoadBalancerFullName
WebACLArn: !GetAtt wafACL.Arn
Has anyone heard if AWS will consider rewriting these? Looked into and you can't hotswap for WAFv2 since a lot of the API has changed
Hello @flyingolivier We are working on a WAF Security Automations update to support WAFv2 API. It will be released shortly. Thanks
@rakshb - Do you have any estimation for it?
Thanks!
Hello @flyingolivier We are working on a WAF Security Automations update to support WAFv2 API. It will be released shortly. Thanks
@alonbhaim We are targeting by July 2020
Hello @rakshb We deployed the waf security automations cloudfront template a month or two age, and it deployed the classic version. What should we do now to upgrade to the version 2?
Hi @omar-dulaimi. You will have to deploy V3.0 as a fresh installation. Since the WAF API was updated, there is no direct upgrade path from V2.3.3 to V3.0
@rakshb Hey, Could it be that 'os.getenv' doesn't get the environment variables properly? Had a problem in the log-parser script in the new Wafv2 template and changing 'os.getenv' to 'os.environ' solved it to me. This was the only change that i made
@galrosencov What issue are you talking about?
@aijunpeng Worked with the new WAFv2 template and used it's scripts like log_parser & access_handler. 'os.getenv' module used in these scripts and I noticed that environment variables doesn't pass properly. When changed it from os.getenv to os.environ it worked perfectly, not sure why exactly.
Thanks for your response. os.getenv and os.environ are equivalent in function. It has been tested that os.getenv works in the WAFv2 solution. I don't have enough information about your use case to know what's going on with your source code, but I am glad that you found a way that works for you. And below is a link that you might find useful on this issue. https://stackoverflow.com/questions/16924471/difference-between-os-getenv-and-os-environ-get
Thanks again you for the comment.
This template creates WAF resources for AWS WAF classic. How can we run this template and have the ACL, rules etc... created for the newer WAF v2 instead?