Support for WAF2

[flyingolivier]

This template creates WAF resources for AWS WAF classic. How can we run this template and have the ACL, rules etc... created for the newer WAF v2 instead?

[aldegoeij]

AWS Support says it has to be rewritten for WAFv2

[dxciberaws]

+1

[gzurowski]

Any plans to add support for WAFv2? @stevemorad

[dontstopnowbaby]

Following this.

so far i found that we can make a simple cloudformation script for wafv2 like below. What im having trouble with is attaching the new waf to an existing or new ALB.

AWSTemplateFormatVersion: 2010-09-09 Description: WAFv2 Sample Template Resources: sampleIpSetIPv4: Type: 'AWS::WAFv2::IPSet' Properties: Name: sampleIPlistIPv4 Scope: REGIONAL IPAddressVersion: IPV4 Addresses:

• 1.1.1.1/32
• 2.2.2.2/32 sampleIpSetIPv6: Type: 'AWS::WAFv2::IPSet' Properties: Name: sampleIPlistIPv6 Scope: REGIONAL IPAddressVersion: IPV6 Addresses:
• 2001:220::/32
• 2002:220::/32 sampleRegexPatternSet: Type: AWS::WAFv2::RegexPatternSet Properties: Name: sampleRegexPatternSet Scope: REGIONAL Description: This is an sample RegexPatternSet RegularExpressionList:
• ^attacker$
• ^script$ sampleWebACL: Type: AWS::WAFv2::WebACL Properties: Name: sampleWebACL Scope: REGIONAL Description: This is an sample WebACL DefaultAction: Allow: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: sampleWebACLMetric Rules:
• Name: RuleWithAWSManagedRules Priority: 0 OverrideAction: Count: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: RuleWithAWSManagedRulesMetric Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet ExcludedRules: []
• Name: StringMatch Priority: 1 Action: Allow: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: StringMatchMetric Statement: ByteMatchStatement: FieldToMatch: AllQueryArguments: {} PositionalConstraint: CONTAINS SearchString: firefox TextTransformations:
  • Priority: 1 Type: HTML_ENTITY_DECODE
• Name: BlockXssAttack Priority: 2 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: BlockXssAttackMetric Statement: XssMatchStatement: FieldToMatch: AllQueryArguments: {} TextTransformations:
  • Priority: 1 Type: NONE
• Name: BlockSQLinjectionAttack Priority: 3 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: BlockSQLinjectionAttackMetric Statement: SqliMatchStatement: FieldToMatch: AllQueryArguments: {} TextTransformations:
  • Priority: 1 Type: NONE
• Name: IPlistRuleIPv4 Priority: 4 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: IPlistRuleIPv4Metric Statement: IPSetReferenceStatement: Arn: !GetAtt sampleIpSetIPv4.Arn
• Name: IPlistRuleIPv6 Priority: 5 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: IPlistRuleIPv6Metric Statement: IPSetReferenceStatement: Arn: !GetAtt sampleIpSetIPv6.Arn
• Name: RegexPatternSetRule Priority: 6 Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: RegexPatternSetRuleMetric Statement: RegexPatternSetReferenceStatement: Arn: !GetAtt sampleRegexPatternSet.Arn FieldToMatch: AllQueryArguments: {} TextTransformations:
  • Priority: 1 Type: NONE Outputs: cfnVersion: Value: 0.1 accountId: Value: !Ref AWS::AccountId Region: Description: AWS Region Value: !Ref AWS::Region

[cgulliver]

so far i found that we can make a simple cloudformation script for wafv2 like below. What im having trouble with is attaching the new waf to an existing or new ALB.

@dontstopnowbaby - Here is a sample ALB association for a new ALB...

  wafALBAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: 
        !Sub 
          - 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/${TargetALB}'
          - TargetALB: !GetAtt Alb.LoadBalancerFullName
      WebACLArn: !GetAtt wafACL.Arn

[michaelasper]

Has anyone heard if AWS will consider rewriting these? Looked into and you can't hotswap for WAFv2 since a lot of the API has changed

[rakshb]

Hello @flyingolivier We are working on a WAF Security Automations update to support WAFv2 API. It will be released shortly. Thanks

[alonbhaim]

@rakshb - Do you have any estimation for it?

Thanks!

Hello @flyingolivier We are working on a WAF Security Automations update to support WAFv2 API. It will be released shortly. Thanks

[rakshb]

@alonbhaim We are targeting by July 2020

[omar-dulaimi]

Hello @rakshb We deployed the waf security automations cloudfront template a month or two age, and it deployed the classic version. What should we do now to upgrade to the version 2?

[rakshb]

Hi @omar-dulaimi. You will have to deploy V3.0 as a fresh installation. Since the WAF API was updated, there is no direct upgrade path from V2.3.3 to V3.0

[ghost]

@rakshb Hey, Could it be that 'os.getenv' doesn't get the environment variables properly? Had a problem in the log-parser script in the new Wafv2 template and changing 'os.getenv' to 'os.environ' solved it to me. This was the only change that i made

[aijunpeng]

@galrosencov What issue are you talking about?

[ghost]

@aijunpeng Worked with the new WAFv2 template and used it's scripts like log_parser & access_handler. 'os.getenv' module used in these scripts and I noticed that environment variables doesn't pass properly. When changed it from os.getenv to os.environ it worked perfectly, not sure why exactly.

[aijunpeng]

Thanks for your response. os.getenv and os.environ are equivalent in function. It has been tested that os.getenv works in the WAFv2 solution. I don't have enough information about your use case to know what's going on with your source code, but I am glad that you found a way that works for you. And below is a link that you might find useful on this issue. https://stackoverflow.com/questions/16924471/difference-between-os-getenv-and-os-environ-get

Thanks again you for the comment.