Merge pull request #249 from aws-solutions/release/v4.0.2

Updated to version v4.0.2
aws-solutions · Sep 11, 2023 · 50ecbe0 · 50ecbe0
2 parents 130ec1b + d0347b4
commit 50ecbe0
Show file tree

Hide file tree

Showing 54 changed files with 678 additions and 331 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+
+## [4.0.2] - 2023-09-11
+
+### Fixed
+
+- Update trademarked name. From aws-waf-security-automations.zip to security-automations-for-aws-waf.zip
+- Refactor to reduce code complexity
+- Patched requests package vulnerability leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. For more details: [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681) [Github issue 248](https://github.com/aws-solutions/aws-waf-security-automations/issues/248)
+
 ## [4.0.1] - 2023-05-19
 
 ### Fixed

diff --git a/NOTICE.txt b/NOTICE.txt
@@ -51,13 +51,4 @@ cffi under the MIT License
 six under the MIT License
 types-PyYAML under the Apache Software License 
 MarkupSafe under the BSD-3-Clause
-
-
-
-
-
-
-
-
-
-
+typing_extensions under the PSF License and BSD License
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 **[🚀 Solution Landing Page](https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf)** | **[🚧 Feature request](https://github.com/aws-solutions/aws-waf-security-automations/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)** | **[🐛 Bug Report](https://github.com/aws-solutions/aws-waf-security-automations/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)**
 
-Note: If you want to use the solution without building from source, navigate to Solution Landing Page
+**Note:** If you want to use the solution without building from source, navigate to Solution Landing Page.
 
 ## Table of contents
 
@@ -16,48 +16,46 @@ Note: If you want to use the solution without building from source, navigate to
 
 <a name="solution-overview"></a>
 
-# Solution Overview
+# Solution overview
 
-The Security Automations for AWS WAF solution is a reference implementation that automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). Once deployed, AWS WAF protects your Amazon CloudFront distributions or Application Load Balancers by inspecting web requests.
+The Security Automations for AWS WAF solution automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). Once deployed, AWS WAF protects your Amazon CloudFront distributions or Application Load Balancers by inspecting web requests.
 
 You can use AWS WAF to create custom, application-specific rules that block attack patterns to ensure application availability, secure resources, and prevent excessive resource consumption.
 
-This solution can be easily installed in your AWS accounts via launching the provided AWS CloudFormation template.
+You can install this solution in your AWS accounts by launching the provided AWS CloudFormation template.
 
-For a detailed solution implementation guide, refer to Solution Landing Page [Security Automations for AWS WAF](https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf)
+For a detailed solution implementation guide, refer to Solution Landing Page [Security Automations for AWS WAF](https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf).
 
 <a name="architecture-diagram"></a>
 
-# Architecture Diagram
+# Architecture diagram
 
 <p align="center">
   <img src="source/image/architecture_diagram.png">
   <br/>
 </p>
 
-Security Automations for AWS WAF architecture
+*Security Automations for AWS WAF architecture*
 
-AWS Managed Rules (A): This set of AWS managed core rules provides protection against exploitation of a wide range of common application vulnerabilities or other unwanted traffic.
+The components of this solution can be grouped into the following areas of protection. 
 
-Manual IP lists (B and C): This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to block or allow. You can also configure IP retention and remove expired IP addresses from these IP lists.
+**Note:** The group labels don’t reflect the priority level of the WAF rules.
 
-SQL Injection (D) and XSS (E): The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
-
-HTTP flood (F): This component helps protect against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attacks or a brute-force login attempt. This feature supports thresholds of less than 100 requests within a 5 minute period.
-
-Scanners and Probes (G): This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time.
-
-IP Reputation Lists (H): This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block.
-
-Bad Bots (I): This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.
+* **AWS Managed Rules (A)** – This component contains AWS Managed Rules IP reputation rule groups, baseline rule groups, and use-case specific rule groups. These rule groups protect against exploitation of common application vulnerabilities or other unwanted traffic, including those described in OWASP publications, without having to write your own rules.
+* **Manual IP lists (B and C)** – These components create two AWS WAF rules. With these rules, you can manually insert IP addresses that you want to allow or deny. You can also configure IP retention and remove expired IP addresses from these IP lists. 
+* **SQL Injection (D) and XSS (E)** – These components configure two AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
+* **HTTP Flood (F)** – This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt.
+* **Scanner and Probe (G)** – This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. Then it blocks those suspicious source IP addresses for a customer-defined period of time. 
+* **IP Reputation Lists (H)** – This component is the IP Lists Parser Lambda function that checks third-party IP reputation lists hourly for new ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.
+* **Bad Bot (I)** – This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack. 
 
 <a name="customizing-the-solution"></a>
 
-# Customizing the Solution
+# Customizing the solution
 
 <a name="prerequisites-for-customization"></a>
 
-## Prerequisites for Customization
+## Prerequisites for customization
 
 - [AWS Command Line Interface](https://aws.amazon.com/cli/)
 - Python 3.10
@@ -66,11 +64,13 @@ Bad Bots (I): This component automatically sets up a honeypot, which is a securi
 
 ## Build
 
-Building from GitHub source will allow you to modify the solution, such as adding custom actions or upgrading to a new release. The process consists of downloading the source from GitHub, creating Amazon S3 buckets to store artifacts for deployment, building the solution, and uploading the artifacts to S3 in your account.
+Building from GitHub source allows you to modify the solution, such as adding custom actions or upgrading to a new release. The process consists of downloading the source from GitHub, creating Amazon S3 buckets to store artifacts for deployment, building the solution, and uploading the artifacts to S3 buckets in your AWS account.
 
 #### 1. Clone the repository
 
-Clone or download the repository to a local directory on your linux client. Note: if you intend to modify the source code you may wish to create your own fork of the GitHub repo and work from that. This allows you to check in any changes you make to your private copy of the solution.
+Clone or download the repository to a local directory on your Linux client. 
+
+**Note:** If you intend to modify the source code, can create your own fork of the GitHub repo and work from that. This way, you can check in your changes to your private copy of the solution.
 
 **Git Clone example:**
 
@@ -86,7 +86,7 @@ wget https://github.com/aws-solutions/aws-waf-security-automations/archive/maste
 
 #### 2. Unit test
 
-Next, run unit tests to make sure your customized code passes the tests
+Next, run unit tests to ensure that your customized code passes the tests:
 
 ```
 cd <rootDir>/deployment
@@ -98,9 +98,10 @@ chmod +x ./run-unit-tests.sh
 
 AWS Solutions use two buckets:
 
-- One global bucket that is access via the http end point. AWS CloudFormation templates are stored here. Ex. "mybucket"
-- One regional bucket for each region where you plan to deploy the solution. Use the name of the global bucket as the prefix of the bucket name, and suffixed with the region name. Regional assets such as Lambda code are stored here. Ex. "mybucket-us-east-1"
-- The assets in buckets must be accessible by your account
+- One global bucket that you access with the http endpoint. AWS CloudFormation templates are stored here. For example, `mybucket`.
+- One regional bucket for each AWS Region where you plan to deploy the solution. Use the name of the global bucket as the prefix of the bucket name, and suffix it with the region name. Regional assets such as Lambda code are stored here. For example, `mybucket-us-east-1`.
+
+The assets in buckets must be accessible by your account.
 
 #### 4. Declare enviroment variables
 
@@ -128,16 +129,16 @@ aws s3 cp ./deployment/global-s3-assets s3://$TEMPLATE_OUTPUT_BUCKET/$SOLUTION_N
 aws s3 cp ./deployment/regional-s3-assets s3://$DIST_OUTPUT_BUCKET-$AWS_REGION/$SOLUTION_NAME/$VERSION --recursive --acl bucket-owner-full-control
 ```
 
-#### _Note:_ You must use proper acl and profile for the copy operation as applicable. Using randomized bucket names is recommended.
+**Note:** You must use a proper ACL and profile for the copy operation as applicable. Using randomized bucket names is recommended.
 
 <a name="deploy"></a>
 
 ## Deploy
 
-- From your designated Amazon S3 bucket where you uploaded the deployment assets, copy the link location for the aws-waf-security-automations.template.
-- Using AWS CloudFormation, launch the Security Automations for AWS WAF solution stack using the copied Amazon S3 link for the aws-waf-security-automations.template.
+- From your designated S3 bucket where you uploaded the deployment assets, copy the link location for the `aws-waf-security-automations.template` file.
+- Using AWS CloudFormation, launch the Security Automations for AWS WAF solution stack using the copied Amazon S3 link for the `aws-waf-security-automations.template` file.
 
-#### _Note:_ When deploying the template for CloudFront endpoint, you can launch it only from us-east-1 region.
+**Note:** When deploying the template for your CloudFront endpoint, you can launch it only from the `us-east-1` Region.
 
 <a name="file-structure"></a>
 
@@ -163,10 +164,10 @@ This project consists of microservices that facilitate the functional areas of t
 
 # Collection of operational metrics
 
-This solution collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/operational-metrics.html).
+This solution collects anonymized operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/reference.html).
 
 <a name="license"></a>
 
 # License
 
-See license [here](https://github.com/aws-solutions/aws-waf-security-automations/blob/master/LICENSE.txt)
+See license [here](https://github.com/aws-solutions/aws-waf-security-automations/blob/master/LICENSE.txt).
diff --git a/deployment/aws-waf-security-automations-firehose-athena.template b/deployment/aws-waf-security-automations-firehose-athena.template
@@ -13,13 +13,12 @@
 
 AWSTemplateFormatVersion: 2010-09-09
 Description: >-
-  (SO0006-FA) - Security Automations for AWS WAF - FA %VERSION%: This AWS CloudFormation template helps
+  (SO0006-FA) - Security Automations for AWS WAF - FA: This AWS CloudFormation template helps
   you provision the Security Automations for AWS WAF stack without worrying about creating and
   configuring the underlying AWS infrastructure.
-
   **WARNING** This template creates an AWS Lambda function, an AWS WAF Web ACL, an Amazon S3 bucket,
   and an Amazon CloudWatch custom metric. You will be billed for the AWS resources used if you
-  create a stack from this template.
+  create a stack from this template. %VERSION%
 
 Parameters:
   ActivateHttpFloodProtectionParam:

diff --git a/deployment/aws-waf-security-automations-webacl.template b/deployment/aws-waf-security-automations-webacl.template
@@ -1,14 +1,23 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# or in the "license" file accompanying this file. This file is distributed
+# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+# express or implied. See the License for the specific language governing
+# permissions and limitations under the License.
 
 AWSTemplateFormatVersion: 2010-09-09
 Description: >-
-  (SO0006-WebACL) - Security Automations for AWS WAF %VERSION%: This AWS CloudFormation template helps
+  (SO0006-WebACL) - Security Automations for AWS WAF: This AWS CloudFormation template helps
   you provision the Security Automations for AWS WAF stack without worrying about creating and
   configuring the underlying AWS infrastructure.
-
   **WARNING** This template creates an AWS WAF Web ACL and Amazon CloudWatch custom metrics.
-  You will be billed for the AWS resources used if you create a stack from this template.
+  You will be billed for the AWS resources used if you create a stack from this template. %VERSION%
 
 Parameters:
   ActivateAWSManagedRulesParam: