Merge pull request #419 from globaldatanet/4.5.0

Added Support for FMS Advanced Shield policies

.github/workflows/waf_test_ipSets.yml

@@ -69,7 +69,9 @@ jobs:
         uses: docker/setup-buildx-action@v3.3.0
       - name: 🔥 Deploy Firewall to AWS
         run: |
+          export STACK_NAME=WAFStack
           task deploy config=ipSetsTests
       - name: 🗑️ Remove Firewall from AWS
         run: |
+          export STACK_NAME=WAFStack
           task destroy config=ipSetsTests

.github/workflows/waf_test_onlymanagedrulegroups.yml

@@ -68,7 +68,9 @@ jobs:
         uses: docker/setup-buildx-action@v3.3.0
       - name: 🔥 Deploy Firewall to AWS
         run: |
+          export STACK_NAME=WAFStack
           task deploy config=onlyManagedRuleGroupsTests
       - name: 🗑️ Remove Firewall from AWS
         run: |
+          export STACK_NAME=WAFStack
           task destroy config=onlyManagedRuleGroupsTests

.github/workflows/waf_test_rateBasedwithScopeDown.yml

@@ -69,7 +69,9 @@ jobs:
         uses: docker/setup-buildx-action@v3.3.0
       - name: 🔥 Deploy Firewall to AWS
         run: |
+          export STACK_NAME=WAFStack
           task deploy config=rateBasedwithScopeDownTests
       - name: 🗑️ Remove Firewall from AWS
         run: |
+          export STACK_NAME=WAFStack
           task destroy config=rateBasedwithScopeDownTests

.github/workflows/waf_test_regexPatternSets.yml

@@ -68,7 +68,9 @@ jobs:
         uses: docker/setup-buildx-action@v3.3.0
       - name: 🔥 Deploy Firewall to AWS
         run: |
+          export STACK_NAME=WAFStack
           task deploy config=regexPatternSetsTests
       - name: 🗑️ Remove Firewall from AWS
         run: |
+          export STACK_NAME=WAFStack
           task destroy config=regexPatternSetsTests

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "yaml.schemas": {
+        "https://www.artillery.io/schema.json": []
+    }
+}

CHANGELOG.md

@@ -1,11 +1,65 @@
 # Change Log
 
 ## Released
+## 4.5.0
+### Added
+ - Added support for deploying Shield Advanced policies, including the ability to calculate pricing. AWS Shield Advanced provides customized detection based on traffic patterns to your protected resources, detects and alerts on smaller DDoS attacks, and identifies application layer attacks by baselining traffic and spotting anomalies.
+ For Shield Advanced policies, we have introduced an Advanced Shield stack with [sample configurations](./values/examples/shield-advanced.ts).
+ __Note__: If you are deploying WAF in a CI/CD environment, make sure you set your environment variable STACK_NAME for the resource you want to deploy.
+    - `export STACK_NAME=PreRequisiteStack` => _prerequisites-stack.ts
+    - `export STACK_NAME=WAFStack` => _web-application-firewall-stack.ts
+    - `export STACK_NAME=ShieldAdvancedStack` => _shield-advanced-stack.ts
+ -  Add Shield Cloudwatch Dashboard - [Example Shield Dashboard](./static/shield-dashboard.png)- The Firewall Factory is able to provision a centralized CloudWatch Dashboard.
+ - Add Cloudwatch Alarms: Cloudwatch Alarms are now part of the prerequisite stack and can be used to triger the SNS topics incase of DDoS.
+  The Dashboard shows the ammount of DDoS attacks detected
+  - Add Grafana Dashbording - [Example Grafana Dashboard](./static/grafana-dashboard.jpg)- AWS Glue crawler job, an Amazon Athena table and an Amazon Athena view to build a Managed Grafana dashboard to visualize the events in near real time - This is an optional component in the Prequisite Stack. 
+  Example Grafana Dashboard can be found [here](./static/grafana/waf-dashboard.json)
+  __Note__:
+    - Your need to configure [Amazon Athena Data Source](https://docs.aws.amazon.com/athena/latest/ug/work-with-data-stores.html) in Amazon Managed Grafana
+      - Example Role template for Cross Account Access can be found [here](./static/cf-templates/grafana-role.yaml)
+    - ⚠️ You need to adjust the json and replace the  uid of your grafana-athena-datasource - while importing into your Grafana.
+
+
+### Fixed
+- Bump @aws-sdk/client-cloudformation to  3.606.0
+- Bump @aws-sdk/client-cloudfront to 3.606.0
+- Bump @aws-sdk/client-cloudwatch to 3.606.0
+- Bump @aws-sdk/client-config-service to 3.606.0
+- Bump @aws-sdk/client-ec2 to 3.606.0
+- Bump @aws-sdk/client-fms to 3.606.0
+- Bump @aws-sdk/client-pricing to 3.606.0
+- Bump @aws-sdk/client-s3 to 3.606.0
+- Bump @aws-sdk/client-iam to 3.606.0
+- Bump @aws-sdk/client-secrets-manager to 3.606.0
+- Bump @aws-sdk/client-service-quotas to 3.606.0
+- Bump @aws-sdk/client-shield to 3.606.0
+- Bump @aws-sdk/client-ssm to 3.606.0
+- Bump @aws-sdk/client-wafv2 to 3.606.0
+- Bump @aws-solutions-constructs/aws-eventbridge-stepfunctions to 2.60.0
+- Bump @babel/traverse to 7.24.7
+- Bump @mhlabs/cfn-diagram to 1.1.40
+- Bump @slack/types to 2.12.0
+- Bump @types/aws-lambda to 8.10.140
+- Bump @types/lodash to 4.17.6
+- Bump @types/uuid to 10.0.0
+- Bump adaptivecards to 3.0.4
+- Bump aws-cdk-lib to 2.148.0
+- Bump axios to 1.7.2
+- Bump cdk-sops-secrets to 1.12.0
+- Bump cfonts to 3.3.0
+- Bump npm to 10.8.1
+- Bump table to 6.8.2
+- Bump uuid to 10.0.0
+- Bump @types/node to 20.14.9
+- Bump @typescript-eslint/eslint-plugin to 7.14.1
+- Bump @typescript-eslint/parser to 7.14.1
+- Bump aws-cdk to 2.147.2
+- Bump ts-jest to 29.1.5
 
 ## 4.3.1
 ### Added
 - [Issue#365](https://github.com/globaldatanet/aws-firewall-factory/issues/365) UnutilizedWafs - Implemented automated identification and notification system in Firewall Factory to manage unused WAFs, leveraging Lambda and notification services to streamline infrastructure, optimize costs, and enhance security by addressing WAF sprawl proactively and ensuring efficient resource utilization.
-- Added example IAM Role which can be used for [ci-cd](./static/roles/ci-cd-role.yaml) deployments
+- Added example IAM Role which can be used for [ci-cd](./static/cf-templates/ci-cd-role.yaml) deployments
 
 ### Fixed
 - [Issue#380](https://github.com/globaldatanet/aws-firewall-factory/issues/380) Fixes on the CloudWatch dashboard.

Deployment.md

@@ -9,8 +9,11 @@
 6. Invoke `npm i` to install dependencies
 7. ⚠️ Before installing a stack to your aws account using aws cdk you need to prepare the account using a [cdk bootstrap](https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html)
 
-8. (Optional) If you want to use CloudWatch Dashboards - You need to enable your target accounts to share CloudWatch data with the central security account follow [this](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html#enable-cross-account-cross-Region) to see how to do it.
-9. (Optional) If you want to use the UnutilizedWafs Feature -  You need to enable your target accounts with a Cross Account Role - You can find an example CfnTemplate you can use [here](static/roles/cross_account_roles_unutilized_wafs.yaml).
+8. (Optional) If you want to use CloudWatch Dashboards (both Shield or Firewall) - You need to enable your target accounts to share CloudWatch data with the central security account follow [this](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html#enable-cross-account-cross-Region) to see how to do it, or use the templates from here:
+    - [Monitoring account template](./static/cf-templates/monitoring-account-sink.template.yml)
+    - [Source account template](./static/cf-templates/cross_account_cw_stack.template.yml)
+
+9. (Optional) If you want to use the UnutilizedWafs Feature -  You need to enable your target accounts with a Cross Account Role - You can find an example CfnTemplate you can use [here](static/cf-templates/cross_account_roles_unutilized_wafs.yaml).
 10. Assume AWS Profile `awsume PROFILENAME`
 11. (Optional) Enter `task generateprerequisitesconfig`
 
@@ -24,13 +27,26 @@
   | FireHoseKey - KeyAlias [^1] | Alias for Key |
   | CrossAccountIdforPermissions [^1] | Id of AWS Account for CrossAccount Permission for Bucket and KMS Key(s)|
 
-10. Enter `task deploy config=NAMEOFYOURCONFIGFILE prerequisite=true`
-
-
+12. When Deploying from a CI/CD pipeline, set an environment variable STACK_NAME to specify which resources to deploy.
+      - `export STACK_NAME=PreRequisiteStack` => _prerequisites-stack.ts
+      - `export STACK_NAME=WAFStack` => _web-application-firewall-stack.ts
+      - `export STACK_NAME=ShieldAdvancedStack` => _shield-advanced-stack.ts
+13. Enter `task deploy config=NAMEOFYOURCONFIGFILE`
+14. If STACK_NAME isn't set yet, select the type of resource to be deployed (Pre-requisite Stacks, WAF or Shield Advanced)
+  ![List of Resources](./static/options.jpg "Stacks")
 ### 🏁 Deployment via Taskfile
 
 1. Create new ts file for you WAF and configure Rules in the Configuration (see [owasptopten.ts](values/examples/owasptop10.ts) to see structure) or use enter `task generate-waf-skeleton`
 
 2. Assume AWS Profile `awsume / assume PROFILENAME`
-3. (Optional) Enter `task generate-waf-skeleton`
-4. Enter `task deploy config=NAMEOFYOURCONFIGFILE`
+3. (Optional) 
+   1. Enter `task generate-waf-skeleton`
+   2. Enter `task generate-shield-skeleton`
+4. When Deploying from a CI/CD pipeline, set an environment variable STACK_NAME to specify which resources to deploy.
+    - `export STACK_NAME=PreRequisiteStack` => _prerequisites-stack.ts
+    - `export STACK_NAME=WAFStack` => _web-application-firewall-stack.ts
+    - `export STACK_NAME=ShieldAdvancedStack` => _shield-advanced-stack.ts
+5. Enter `task deploy config=NAMEOFYOURCONFIGFILE`
+6. If STACK_NAME isn't set yet, select the type of resource to be deployed (Pre-requisite Stacks, WAF or Shield Advanced)
+  ![List of Resources](./static/options.jpg "Stacks")
+

Features.md

@@ -78,4 +78,32 @@ See example:
 
 22. Centralized management of RegexPatternSets - No longer will there be a need for manual updates of RegexPatternSets across multiple AWS accounts. These can now be defined in code and replicated for use by WAF rules wherever needed.
 
-23. Automated identification and notification system in Firewall Factory to manage unused WAFs, leveraging Lambda and notification services to streamline infrastructure, optimize costs, and enhance security by addressing WAF sprawl proactively and ensuring efficient resource utilization.
+23. Automated identification and notification system in Firewall Factory to manage unused WAFs, leveraging Lambda and notification services to streamline infrastructure, optimize costs, and enhance security by addressing WAF sprawl proactively and ensuring efficient resource utilization.
+24. Support Advanced Shield policy deployment through AWS Firewall Manager. AWS Shield Advanced provides customized detection based on traffic patterns to your protected resources, detects and alerts on smaller DDoS attacks, and identifies application layer attacks by baselining traffic and spotting anomalies.
+
+25. Add Grafana Dashbording - The Firewall Factory is able to provision prequsistes and a Central Grafana Dashboard.
+  The Dashboard shows:
+    - Request Map Across Countries
+    - Request Count by Action
+    - Request by Endpoint (TOP 10)
+    - Request Count by IP (TOP 10)
+    - Top HTTP Methods
+    - Top 10 URIs
+    - Top 10 Terminating Rule Groups
+  See example:
+  ![GrafanaFirewallDashboard](./static/grafana-dashboard.jpg)
+
+26. Shield Cloudwatch Dashboard - The Firewall Factory is able to provision a centralized CloudWatch Dashboard.
+  The Dashboard shows the ammount of DDoS attacks detected
+
+  See example:
+  ![ShieldDashboard](./static/shield-dashboard.png)
+
+27. Cloudwatch Cross-Account association - The Firewall Factory offers CloudFormation templates for associating the monitoring account with source accounts:
+    - [Monitoring account template](./static/cf-templates/monitoring-account-sink.template.yml)
+    - [Source account template](./static/cf-templates/cross_account_cw_stack.template.yml)
+
+28. Add Cloudwatch Alarms - The prerequisite stack contains Cloudwatch Alarm resource that can be used to trigger the SNS topics incase of DDoS.    
+
+
+

Taskfile.yml

@@ -48,7 +48,7 @@ tasks:
   cdkdestroy:
     desc: CDK Destroy
     cmds:
-      - cdk destroy --force
+      - bash -c 'source options.sh && cdk destroy --force'
     vars:
       ACCOUNT:
         sh: aws sts get-caller-identity |jq -r .Account
@@ -60,7 +60,7 @@ tasks:
   cdkdeploy:
     desc: CDK Deploy
     cmds:
-      - cdk deploy --require-approval never {{.TAGS}} --toolkit-stack-name {{.TOOL_KIT_STACKNAME}}
+      - bash -c 'source options.sh && cdk deploy --require-approval never {{.TAGS}} --toolkit-stack-name {{.TOOL_KIT_STACKNAME}}'
     vars:
       ACCOUNT:
         sh: aws sts get-caller-identity |jq -r .Account
@@ -96,7 +96,12 @@ tasks:
       - sh: "[ '{{.WAF_TEST}}' != 'true' ]"
         msg: ⏭  Skipping WAF Testing 🧪
   generate-waf-skeleton:
-    desc: Generate Skeleton
+    desc: Generate WAF Skeleton
     silent: true
     cmds:
-      - ts-node ./lib/tools/generate-skeleton.ts
+      - ts-node ./lib/tools/generate-waf-skeleton.ts
+  generate-shield-skeleton:
+    desc: Generate Shield Skeleton
+    silent: true
+    cmds:
+      - ts-node ./lib/tools/generate-shield-skeleton.ts