{ {  “AWSTemplateFormatVersion”: “2010-09-09”,  “Description”: “This AWS CloudFormation template helps you provision the AWS WAF reactive blacklist stack without worrying about creating and configuring the underlying AWS infrastructure. **WARNING** This template creates an AWS Lambda function, an AWS WAF Web ACL, an Amazon S3 bucket, and an Amazon CloudWatch custom metric. You will be billed for the AWS resources used if you create a stack from this template. **NOTICE** Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Amazon Software License (the License). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/asl/ or in the license file accompanying this file. This file is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and limitations under the License.”,  “Metadata”: { “AWS::CloudFormation::Interface”: {  “ParameterGroups”: [{ “Label”: {  “default”: “S3 Location” }, “Parameters”: [“CloudFrontCreateAccessLogBucket”,”CloudFrontAccessLogBucket”]  }, { “Label”: {  “default”: “Rate-Based Blacklisting Parameters” }, “Parameters”: [“RequestThreshold”, “WAFBlockPeriod”]  }],  “ParameterLabels”: { “CloudFrontCreateAccessLogBucket”: {  “default”: “Create CloudFront Access Log Bucket” }, “CloudFrontAccessLogBucket”: {  “default”: “CloudFront Access Log Bucket Name” }, “RequestThreshold”: {  “default”: “Request Threshold” }, “WAFBlockPeriod”: {  “default”: “WAF Block Period” }  } }  },
“Parameters”: { “CloudFrontCreateAccessLogBucket”: {  “Type” : “String”,  “Default” : “yes”,  “AllowedValues” : [“yes”, “no”],  “Description” : “Select Yes to create a new S3 bucket for CloudFront Access Logs. Select No if you already have an S3 bucket for CloudFront Access logs.” }, “CloudFrontAccessLogBucket”: {  “Type”: “String”,  “Default”: “”,  “Description”: “Enter the name of the S3 bucket where you will store the CloudFront access logs (e.g., http://bucket.s3-aws-region.amazonaws.com)” }, “RequestThreshold”: {  “Type”: “Number”,  “Default”: “400”,  “Description”: “Enter the maximum acceptable request per second per IP address. Default: 400 requests per minute” }, “WAFBlockPeriod”: {  “Type”: “Number”,  “Default”: “240”,  “Description”: “Enter for how long (in minutes) IP addresses should be blocked. Default: 4 hours (240 minutes)” }  },
“Conditions” : { “CreateBucket” : {“Fn::Equals” : [{“Ref” : “CloudFrontCreateAccessLogBucket”}, “yes”]}  },
“Resources”: { “WAFManualBlockSet”: {  “Type”: “AWS::WAF::IPSet”,  “Properties”: { “Name”: “Manual Block Set”  } }, “WAFAutoBlockSet”: {  “Type”: “AWS::WAF::IPSet”,  “Properties”: { “Name”: “Auto Block Set”  } }, “WAFAutoCountSet”: {  “Type”: “AWS::WAF::IPSet”,  “Properties”: { “Name”: “Auto Count Set”  } }, “WAFManualBlockRule”: {  “Type”: “AWS::WAF::Rule”,  “DependsOn”: “WAFManualBlockSet”,  “Properties”: { “Name”: “Manual Block Rule”, “MetricName”: “ManualBlockRule”, “Predicates”: [{  “DataId”: { “Ref”: “WAFManualBlockSet”  },  “Negated”: false,  “Type”: “IPMatch” }]  } }, “WAFAutoBlockRule”: {  “Type”: “AWS::WAF::Rule”,  “DependsOn”: “WAFAutoBlockSet”,  “Properties”: { “Name”: “Auto Block Rule”, “MetricName”: “AutoBlockRule”, “Predicates”: [{  “DataId”: { “Ref”: “WAFAutoBlockSet”  },  “Negated”: false,  “Type”: “IPMatch” }]  } }, “WAFAutoCountRule”: {  “Type”: “AWS::WAF::Rule”,  “DependsOn”: “WAFAutoCountSet”,  “Properties”: { “Name”: “Auto Count Rule”, “MetricName”: “AutoCountRule”, “Predicates”: [{  “DataId”: { “Ref”: “WAFAutoCountSet”  },  “Negated”: false,  “Type”: “IPMatch” }]  } }, “WAFWebACL”: {  “Type”: “AWS::WAF::WebACL”,  “DependsOn”: [“WAFManualBlockRule”, “WAFAutoBlockRule”, “WAFAutoCountRule”],  “Properties”: { “Name”: “Myo2 Malicious Requesters”, “DefaultAction”: {  “Type”: “ALLOW” }, “MetricName”: “MaliciousRequesters”, “Rules”: [{  “Action”: { “Type”: “BLOCK”  },  “Priority”: 1,  “RuleId”: { “Ref”: “WAFManualBlockRule”  } }, {  “Action”: { “Type”: “BLOCK”  },  “Priority”: 2,  “RuleId”: { “Ref”: “WAFAutoBlockRule”  } }, {  “Action”: { “Type”: “COUNT”  },  “Priority”: 3,  “RuleId”: { “Ref”: “WAFAutoCountRule”  } }]  } }, “LambdaRole”: {  “Type”: “AWS::IAM::Role”,  “Properties”: { “AssumeRolePolicyDocument”: {  “Version”: “2012-10-17”,  “Statement”: [{ “Effect”: “Allow”, “Principal”: {  “Service”: [“lambda.amazonaws.com”] }, “Action”: [“sts:AssumeRole”]  }] }, “Path”: “/”, “Policies”: [{  “PolicyName”: “S3Access”,  “PolicyDocument”: { “Version”: “2012-10-17”, “Statement”: [{  “Effect”: “Allow”,  “Action”: “s3:*”,  “Resource”: “*” }]  } }, {  “PolicyName”: “WAFAccess”,  “PolicyDocument”: { “Version”: “2012-10-17”, “Statement”: [{  “Effect”: “Allow”,  “Action”: “waf-regional:*”,  “Resource”: “*” }]  } }, {  “PolicyName”: “LogsAccess”,  “PolicyDocument”: { “Version”: “2012-10-17”, “Statement”: [{  “Effect”: “Allow”,  “Action”: “logs:*”,  “Resource”: “*” }]  } }, {  “PolicyName”: “LambdAccess”,  “PolicyDocument”: { “Version”: “2012-10-17”, “Statement”: [{  “Effect”: “Allow”,  “Action”: “lambda:*”,  “Resource”: “*” }]  } }, {  “PolicyName”: “CloudFormationAccess”,  “PolicyDocument”: { “Version”: “2012-10-17”, “Statement”: [{  “Effect”: “Allow”,  “Action”: “cloudformation:DescribeStacks”,  “Resource”: “*” }]  } }, {  “PolicyName”: “CloudWatchAccess”,  “PolicyDocument”: { “Version”: “2012-10-17”, “Statement”: [{  “Effect”: “Allow”,  “Action”: “cloudwatch:PutMetricData”,  “Resource”: “*” }]  } }]  } }, “LambdaWAFBlacklistingFunction”: {  “Type”: “AWS::Lambda::Function”,  “DependsOn”: “LambdaRole”,  “Properties”: { “Description”: {  “Fn::Join”: [“:”, [{ “Ref”: “RequestThreshold”  }, { “Ref”: “WAFBlockPeriod”  }]] }, “Handler”: “parser.lambda_handler”, “Role”: {  “Fn::GetAtt”: [“LambdaRole”, “Arn”] }, “Code”: {  “S3Bucket”: “wafipratelimitingalb”,  “S3Key”: “ratelimiting/parser.zip” }, “Runtime”: “python2.7”, “MemorySize”: “512”, “Timeout”: “300”  } }, “LambdaInvokePermission”: {  “Type”: “AWS::Lambda::Permission”,  “DependsOn”: “LambdaWAFBlacklistingFunction”,  “Properties”: { “FunctionName”: {  “Fn::GetAtt”: [“LambdaWAFBlacklistingFunction”, “Arn”] }, “Action”: “lambda:*”, “Principal”: “s3.amazonaws.com”, “SourceAccount”: {  “Ref”: “AWS::AccountId” }  } }, “S3CloudFrontAccessLogBucket”: {  “Type”: “AWS::S3::Bucket”,  “Condition” : “CreateBucket”,  “DependsOn”: “LambdaWAFBlacklistingFunction”,  “Properties”: { “BucketName”: {  “Ref”: “CloudFrontAccessLogBucket” }, “AccessControl”: “Private”, “NotificationConfiguration”: {  “LambdaConfigurations”: [{ “Event”: “s3:ObjectCreated:*”, “Filter”: {  “S3Key”: { “Rules”: [{  “Name”: “suffix”,  “Value”: “gz” }]  } }, “Function”: {  “Fn::GetAtt”: [“LambdaWAFBlacklistingFunction”, “Arn”] }  }] }  },  “DeletionPolicy”: “Retain” }  },
“Outputs”: { “CloudFrontAccessLogBucket”: {  “Description”: “CloudFront Access Log Bucket”,  “Value”: { “Ref”: “CloudFrontAccessLogBucket”  },  “Condition” : “CreateBucket” }, “RequestThreshold”: {  “Description”: “Request Threshold”,  “Value”: { “Ref”: “RequestThreshold”  } }, “WAFBlockPeriod”: {  “Description”: “WAF Block Period”,  “Value”: { “Ref”: “WAFBlockPeriod”  } }, “ManualBlockIPSetID”: {  “Description”: “Manual Block IP Set ID”,  “Value”: { “Ref”: “WAFManualBlockSet”  } }, “AutoBlockIPSetID”: {  “Description”: “Auto Block IP Set ID”,  “Value”: { “Ref”: “WAFAutoBlockSet”  } }, “AutoCountIPSetID”: {  “Description”: “Auto Count IP Set ID”,  “Value”: { “Ref”: “WAFAutoCountSet”  } }  } }

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s