search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
845 stars 361 forks source link

Template and log-parser.py is missing REQUEST_PER_MINUTE_LIMIT env var. #74

Closed attobyte closed 5 years ago

attobyte commented 5 years ago

log-parser.py lambda function requires the Env variable REQUEST_PER_MINUTE_LIMIT to function correctly.

The LambdaWAFLogParserFunction within aws-waf-security-automations.template is missing the REQUEST_PER_MINUTE_LIMIT ENV variable.

      Environment:
        Variables:
          OUTPUT_BUCKET: !Ref AccessLogBucket
          IP_SET_ID_BLACKLIST: !If [AlbEndpoint, !GetAtt AlbStack.Outputs.WAFBlacklistSet, !GetAtt CloudFrontStack.Outputs.WAFBlacklistSet]
          IP_SET_ID_AUTO_BLOCK: !If [AlbEndpoint, !GetAtt AlbStack.Outputs.WAFScannersProbesSet, !GetAtt CloudFrontStack.Outputs.WAFScannersProbesSet]
          BLACKLIST_BLOCK_PERIOD: !Ref WAFBlockPeriod
          ERROR_PER_MINUTE_LIMIT: !Ref ErrorThreshold
          SEND_ANONYMOUS_USAGE_DATA: !FindInMap ["Solution", "Data", "SendAnonymousUsageData"]
          UUID: !GetAtt CreateUniqueID.UUID
          LIMIT_IP_ADDRESS_RANGES_PER_IP_MATCH_CONDITION: '10000'
          MAX_AGE_TO_UPDATE: '30'
          REGION: !Ref 'AWS::Region'
          LOG_TYPE: !If [AlbEndpoint, 'alb', 'cloudfront']
          METRIC_NAME_PREFIX: !Join ['', !Split ['-', !Ref 'AWS::StackName']]
          LOG_LEVEL: !FindInMap ["Solution", "Data", "LogLevel"]
          STACK_NAME: !Ref 'AWS::StackName

Also the aws-waf-security-automations.template is missing a parameter to set the REQUEST_PER_MINUTE_LIMIT for the LambdaWAFLogParserFunction.

hvital commented 5 years ago

Hi @attobyte

We've added this REQUEST_PER_MINUTE_LIMIT for those who need to set a threshold bellow 2000 req per 5 min or want to implement other customizations that are not supported by AWS WAF Rate Based Rule ... If you set this environment variable, the log parser function will also process logs like HTTP flood protection.

Need to tipple check but it was supposed to be optional (that's why we have a check 'REQUEST_PER_MINUTE_LIMIT' in environ before accessing it). If the variable is not defined, it will process logs only searching for error rate (Scanner & Probe protection).

attobyte commented 5 years ago

Thank you for the clarification, I did figure out some of this after I opened the issue.

What actually confused me and why I started down this path was I didn't find #44 until later and of course I didn't see the comment in the code. :)

I am returning a 403 Error page from a ALB rule and I didn't notice errors were only being counted for target_status_code and not elb_status_code.

I do see why the change was made to use target_status_code as the LogParser would block everything WAF had blocked.

One potential work around might be use elb_status_code field along with actions_executed field. That field in the logs seems to have WAF and forward, redirect, or fixed-response when the request is sent on to the target. It seems to only have WAF when blocked at WAF or the ALB. Would need more testing

Thanks for your comments. I consider the issue closed and thank you for your work on this template.

hvital commented 5 years ago

@attobyte

Just to let you know that we extracted all common customization to a json config file.

More info here