npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2021 – Pkg Stats / Ryan Hefner

cdk-automated-waf

v1.0.3

Published

Cloudfront and ALB with Automated WAF

Downloads

921

Readme

NPM version PyPI version release

cdk-automated-waf

This CDK Construct modify and rebuild from Cloudfront with Automated WAF.

The solution use CDK construct to automatically deploy a set of AWS WAF rules design to filter common web-based attacks.Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). After the solution deploys, AWS WAF begins inspecting web requests to the user’s existing Amazon CloudFront distributions、Application Load Balancers、API Gateway, and blocks them when applicable.

What is difference

  • The project is CDK Construct which is handy to integrate into your existing CDK project.

  • Support count mode for testing WAF rule, see API.md.

  • Support Application Load Balancers and API Gateway (The origin repository doesn't support ALB any more in next release, see issue )

  • AWS Shield Advance is optional (The origin repository enforce to enable it)

Construct Props

Ref API Reference

CloudFront Usage

const envUSEast1 = {
  region: 'us-east-1',
  account: process.env.CDK_DEFAULT_ACCOUNT,
};

new cdk.Stack(app, 'TestStackAutomatedWafForCloudFront', { env: envUSEast1 });

new AutomatedWaf(stackTest1, 'AutomatedWaf', {
  waf2Scope: Waf2ScopeOption.CLOUDFRONT,
  resourceNamingPrefix: 'CloudFront_ApiGW',
  errorThreshold: 55,
  requestThreshold: 300,
  blockPeriod: 60,
  logLevel: LogLevel.DEBUG,
});

Notice the WAF region must be us-east-1 for CloudFront.

After deploying, it need to do two things on AWS Management Console.

1. Attach Cloudfront to WAF.

Click add AWS Resources

CloudFront-3

Select existing CloudFront Distribution.

CloudFront-4

2. Set S3 bucket on CloudFront standand logging

Find S3 bucket name on CloudFormation output

CloudFront-1

Set CloudFront standard logging on CloudFront Settings

CloudFront-2

:warning: Log Prefix must be AWSLogs/

Application Load Balancers Usage

const env = {
  region: process.env.CDK_DEFAULT_REGION,
  account: process.env.CDK_DEFAULT_ACCOUNT,
};

new cdk.Stack(app, 'TestStackAutomatedWafForALB', { env });

const albArn = `arn:aws:elasticloadbalancing:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:loadbalancer/app/ApiNe-Alb16-2VIC9075YQEZ/db92cdc88d2e7c9d`;

new AutomatedWaf(stackTest2, 'AutomatedWaf', {
  waf2Scope: Waf2ScopeOption.REGIONAL,
  associatedResourceArn: albArn,
  resourceNamingPrefix: 'Alb_Api',
  errorThreshold: 50,
  requestThreshold: 300,
  blockPeriod: 60,
  logLevel: LogLevel.DEBUG,
});

After deploying, follow these steps on AWS Management Console. See below:

Find S3 bucket name on CloudFormation output

CloudFront-1

Click Edit Attributes on Basic Configuration of Load Balancers

ALB-1

Enable Access logs and input S3 bucket

ALB-2

API Gateway Usage

const env = {
  region: process.env.CDK_DEFAULT_REGION,
  account: process.env.CDK_DEFAULT_ACCOUNT,
};

new cdk.Stack(app, 'TestStackAutomatedWafForApiGW', { env });

/**
 * Ref Stage arn in https://docs.aws.amazon.com/apigateway/latest/developerguide/arn-format-reference.html
 */
const restApiArn = `arn:aws:apigateway:${cdk.Aws.REGION}::/restapis/0j90w09yf9/stages/prod`;

new AutomatedWaf(stackTest3, 'AutomatedWaf', {
  waf2Scope: Waf2ScopeOption.REGIONAL,
  associatedResourceArn: restApiArn,
  resourceNamingPrefix: 'ApiGW',
  errorThreshold: 50,
  requestThreshold: 300,
  blockPeriod: 60,
  logLevel: LogLevel.DEBUG,
});

Troubleshooting

If deployment error, the cloudFormation Error event like this

Received response status [FAILED] from custom resource. Message returned: 'HttpFloodLambdaLogParser' (RequestId: b4e08ea2-fe0a-46f8-98aa-6f96d4558579)

If any custom resource deploy error like above, delete the stack and redeploy it that will pass.