This repository defines a CDK construct for provisioning an AWS Web Application Firewall (WAF) stack. It can be imported and used within CDK application. ##Example The following CDK snippet can be used to provision the an AWS WAF stack.
import 'source-map-support/register';
const cdk = require('@aws-cdk/core');
import { WebApplicationFirewall } from '@aligent/cdk-waf';
import { Stack } from '@aws-cdk/core';
import { Environment } from '@aws-cdk/core'
import { env } from 'node:process';
const preprodEnv: Environment = {account: '<TargetAccountId-Preprod>', region: '<TargetAccountRegion-Preprod>'};
const target = '<TargetAccountIdentifier>';
const appName = 'WAF';
const defaultAllowedIPv4s = [
'a.a.a.a/32', 'b.b.b.b/32', // Offices
'c.c.c.c/32', 'd.d.d.d/32', // Payment Gateways
]
const defaultAllowedIPv6s = [
'1234:abcd:5678:ef01::/56', // Offices
'1234:ef01:5678:abcd::/56', // Security Scanner
]
export const preProductionWafStackProps = {
env: preprodEnv,
activate: true, // Update this line with either true or false, defining Block mode or Count-only mode, respectively.
allowedIPs: defaultAllowedIPs.concat([
'y.y.y.y/32' // AWS NAT GW of preprod vpc
// environment-specific comma-separated allow-list comes here
]),
allowedUserAgents: [], // Allowed User-Agent list that would have been blocked by AWS BadBot rule. Case-sensitive. Optional.
excludedAwsRules: [], // The rule to exclude (override) from AWS-managed RuleSet. Optional.
associatedLoadBalancerArn: '<ArnOfPreproductionFrontendALB>',
wafName: <NAME>
}
class WAFStack extends Stack {
constructor(scope: Construct, id: string, props: preprodEnv) {
super(scope, id, props);
new WebApplicationFirewall(scope, 'waf-stack', prod);
}
}
new WAFStack(scope, envName, preProductionWafStackProps);
By default, WebACL this stack creates will work in COUNT mode to begin with.After a certain period of monitoring under real traffic and load, apply necessary changes, e.g. IP allow_list or rate limit, to avoid service interruptions before switching to BLOCK mode.
NPM link can be used to develop the module locally.
- Pull this repository locally
cd
into this repository- run
npm link
cd
into the downstream repo (target project, etc) and runnpm link '@aligent/cdk-waf'
The downstream repository should now include a symlink to this module. Allowing local changes to be tested before pushing. You may want to update the version notation of the package in the downstream repository'spackage.json
.