waf-automations-cdk
Usage
const wafAutomations = new WafSecurityAutomations(this, 'waf-security-automations', {
stackName: 'waf-security-automations',
accessLogBucket: myLogBucket,
options: {
// See below
},
});
// Can now use the following:
wafAutomations.webAclName // string, the name of the created webAcl, will match stackName due to implementation of the cfn template
wafAutomations.webAclArn // string, arn of the created webAcl, pass this to a Cloudfront distribution
wafAutomations.webAclId // string
wafAutomations.webAclDescription // stringThis creates a WAFv2 WebACL named matching the stackName.
Options
All are optional
| Attribute | Default | Description |
|---|---|---|
templateVersion |
'v3.1.0' |
See releases. |
activateSqlInjectionProtection |
true |
Enables the component designed to block common SQL injection attacks |
activateCrossSiteScriptingProtection |
true |
Enables the component designed to block common XSS attacks |
activateHttpFloodProtection |
true |
Enables the component designed to block HTTP flood attacks |
httpFloodProtectionMethod |
'waf' |
Alternatives: 'lambda' or 'athena'
|
activateScannersProbesProtection |
true |
Enables the component designed to block scanners and probes |
scannersProbesProtectionMethod |
'lambda' |
Alternative: 'athena'
|
activateReputationListsProtection |
true |
Enable to block requests from IP addresses on third-party reputation lists (supported lists: spamhaus, torproject, and emergingthreats). |
activateBadBotProtection |
true |
Enables the component designed to block bad bots and content scrapers |
endpointType |
'cloudfront' |
Select the type of resource being used, alternative: 'alb' (Note, see https://github.com/isotoma/waf-automations-cdk/issues/14) |
errorThresholdPerMinute |
50 | If activateScannersProbesProtection is enabled, enter the maximum acceptable bad requests per minute per IP. |
requestThresholdPerFiveMinutes |
100 | If activateHttpFloodProtection is enabled, enter the maximum acceptable requests per FIVE-minute period per IP address. >=100 if using WAF, >0 if Lambda or Athena. |
wafBlockPeriodMinutes |
240 | If activateScannersProbesProtection or activateHttpFloodProtection is enabled, enter the period (in minutes) to block applicable IP addresses. |
keepDataInOriginalS3Location |
false |
By default log files will be moved from their original location to a partitioned folder structure in s3. Set to true to copy instead. |
Development
Releasing a new version
Run
$ npm version (patch|minor|major)
$ git push origin main [tag you just created]