4.3.1

Added

• Issue#365 UnutilizedWafs - Implemented automated identification and notification system in Firewall Factory to manage unused WAFs, leveraging Lambda and notification services to streamline infrastructure, optimize costs, and enhance security by addressing WAF sprawl proactively and ensuring efficient resource utilization.
• Added example IAM Role which can be used for ci-cd deployments

Fixed

• Issue#380 Fixes on the CloudWatch dashboard.
• Restructure Lambda code with ShareComonents to reduce code duplicates
• Using cdk-sops-secrets now for all Webhooks - see WebHookSecretDefinition:

 {
   WebhookUrl: string
   Messenger: "Slack" | "Teams"
 }

• Adding missing: Optional Lambda function to prerequisite Stack that send notifications about potential DDoS activity for protected resources to messengers (Slack/Teams) - [AWS Shield Advanced] - this was removed while migrating lambdas from python to typescript
• Bump @aws-sdk/client-cloudformation from 3.554.0 to 3.556.0
• Bump @aws-sdk/client-cloudfront from 3.568.0 to 3.577.0
• Bump @aws-sdk/client-cloudwatch from 3.554.0 to 3.556.0
• Bump @aws-sdk/client-config-service from 3.568.0 to 3.577.0
• Bump @aws-sdk/client-ec2 from 3.568.0 to 3.577.0
• Bump @aws-sdk/client-fms from 3.554.0 to 3.577.0
• Bump @aws-sdk/client-pricing from 3.554.0 to 3.556.0
• Bump @aws-sdk/client-s3 from 3.569.0 to 3.577.0
• Bump @aws-sdk/client-service-quotas from 3.554.0 to 3.577.0
• Bump @aws-sdk/client-shield from 3.554.0 to 3.556.0
• Bump @aws-sdk/client-ssm from 3.554.0 to 3.577.0
• Bump @aws-sdk/client-wafv2 from 3.554.0 to 3.556.0
• Bump aws-cdk from 2.137.0 to 2.142.0
• Bump aws-cdk-lib from 2.137.0 to 2.142.0
• Bump @typescript-eslint/eslint-plugin from 7.6.0 to 7.9.0
• Bump @typescript-eslint/parser from 7.6.0 to 7.9.0
• Bump @types/lodash from 4.17.0 to 4.17.1

4.3.0

Added

• Allow reusing ipsets with same name. This commit differentiate ipsets from different FMS configs by adding the name of the webacl to it. Without this commit, trying to run aws-firewall-factory for two configs which uses a ipset with the same name would give a error on CloudFormation ('IpSet with name x already exists') - (Add Name of web application firewall to the IPSet Name) - ⚠️ Existing IPsets will be replaced during next update.
• CheckCapacity: see which rule failed. This commit helps a lot by immediately letting us know which rule failed capacity checking and requires fixes
• Save chars on ManagedServiceData FMS prop. The ManagedServiceData has a hard limit of 8192 characters. I've asked AWS about raising it and they said that this is a hard limit and they can't raise it. This commit is for saving as much chars as we can out of the ManagedServiceData prop, for squeezing in our rules (even if they have a ton of RuleActionOverrides on them)
• Values: allow async code. This adds a dynamic import of the firewall config for enabling people that want to run async code on then, ensuring that all async code will run during the import
• Issue#317 Evaluation time windows for request aggregation with rate-based rules. You can now select time windows of 1 minute, 2 minutes or 10 minutes, in addition to the previously supported 5 minutes.
• Extend Guidance Helper to check for valid Evaluation time windows.
• CustomRule StatementType is now part of the log Capacity Table

Fixed

• RateBasedStatement.CustomKeys is a array of objects, not a object
• Recursive code for adding RateBasedStatement.ScopeDownStatement. The prop ScopeDownStatement of RateBasedStatements can have And, Or and Not statements, just like any other Statement. Without this fix, deploying RateBasedStatements with complex ScopeDownStatements fails on capacity checking.
• Don't enforce update if EnforceUpdate prop is not defined. If its not defined, set EnforceUpdate to false.
• Enhance the enumcheck to handle API throttling by adding sleep functionality.
• Bumped Jest from version 29.7.0 to 29.7.0
• Bumped TypeScript from version 5.3.3 to 5.4.5
• Bumped ESLint from version 8.56.0 to 8.56.0
• Bumped Axios from version 1.6.5 to 1.6.8
• Bumped @typescript-eslint/parser and @typescript-eslint/eslint-plugin from version 6.19.0 to 7.6.0
• Bumped AWS CDK from version 2.121.1 to 2.137.0
• Bumped @aws-sdk/client-cloudformation, @aws-sdk/client-cloudwatch, @aws-sdk/client-fms, @aws-sdk/client-pricing, @aws-sdk/client-service-quotas, @aws-sdk/client-shield, @aws-sdk/client-ssm, and @aws-sdk/client-wafv2 from version 3.490.0 to 3.554.0
• Removed redundant declaration of "@typescript-eslint/eslint-plugin" and "@typescript-eslint/parser" dependencies.
• Removed redundant declaration of "@types/lodash" dependency.
• Added missing comma after TypeScript version 5.3.3 in devDependencies.
• Add CDK ToolKit StackName to cdk diff using taskfile - Sometimes the following error occurred if the template is more than 50kb in size this was because the cdk toolkit stackname was not set.
  • eg.: The template for stack "YOURSTACKNAME" is 64KiB. Templates larger than 50KiB must be uploaded to S3.

4.2.3

Added

• Initial release of Enum Checker script. Implemented functionality to check for new Labels and Rules available for Managed Rule Groups. Provides clear output indicating any new Labels or Rules discovered.
• Issue#295 - Optional Athena table added to Prerequisites stack: Introducing support for the Athena WAF (web application firewall) log table. Users can now easily query and analyse WAF log data using Athena. Gain insight into web application security events, including blocked requests, allowed traffic and threat patterns.

Fixed

• Issue293 Warning on task deploy: "aws-cdk-lib.aws_lambda.FunctionOptions#logRetention is deprecated." - We are creating now a fully customizable log group with logs.LogGroup.
  ℹ️ Migrating from logRetention to logGroup will cause the name of the log group to change.
• False Positive for Guidance: noManageRuleGroups
• Added new Labels and Rules which are available for Managed Rule Groups to enum.ts
• Bump @types/node from 20.11.5 to 20.11.19
• Bump @typescript-eslint/eslint-plugin from 6.19.0 to 7.0.0
• Bump @aws-sdk/client-wafv2 from 3.496.0 to 3.515.0
• Bump aws-cdk-lib from 2.121.1 to 2.128.0
• Bump @types/uuid from 9.0.7 to 9.0.8

4.2.2

Added

• Guidance Helper v1: This Helper is designed to provide comprehensive assistance in implementing Best Practices for AWS Firewalls. Additionally, it addresses Issue279, ensuring a more robust and effective implementation. Guidances have severities: ℹ️ - can be adapted, ⚠️ should be adapted, 🚨 must be adapted - exceptions of course confirm the rules.

Fixed

• The conversion of rules from CDK to SDK for RateBasedStatement was experiencing issues, impacting the proper functioning essential for WCU Calculation. I'm pleased to inform you that this issue has been successfully addressed and resolved.

4.2.1

Fixed

• Issue285 - Resolved an issue where the redeployment of changed capacity was not functioning correctly due to inconsistencies in the writing of ProcessProperties for DeployedRuleGroups.
• Bump ts-jest from 29.1.1 to 29.1.2
• Bump @aws-sdk/client-wafv2 from 3.490.0 to 3.496.0
• Bump @aws-sdk/client-service-quotas from 3.490.0 to 3.496.0
• Bump @types/node from 20.11.4 to 20.11.5
• Bump @aws-sdk/client-pricing from 3.490.0 to 3.496.0

4.2.0

Fixed

• Output of the correct ManagedRuleGroup version if the stack has already been deployed, no version has been specifically set or Enforce Update has been set
• Restructuring helpers to facilitate smoother integration with the code, particularly for all contributors. Helpers are now seperated into different files and directories grouped by aws service / usage.
• Fixed Codesmells which where found by SonarQube
• VersionEnabled behavior fixed for ManageRuleGroups
• Python Lambda translated into typescript
• Code was improved by removing Code duplications and enriched by more comments and descriptions.
• Bump @aws-sdk/client-service-quotas from 3.427.0 to 3.490.0
• Bump @aws-sdk/client-pricing from 3.427.0 to 3.490.0
• Bump @aws-sdk/client-shield from 3.433.0 to 3.490.0
• Bump @aws-sdk/client-cloudformation from 3.428.0 to 3.490.0
• Bump @aws-sdk/client-cloudwatch from 3.427. to 3.490.0
• Bump @aws-sdk/client-fms from 3.427.to 3.490.0
• Bump @aws-sdk/client-wafv2 from 3.427.0 to 3.490.0
• Bump @types/node 20.8.10 from to 20.11.4
• Bump @typescript-eslint/parser from 6.7.5 to 6.19.0
• Bump @typescript-eslint/eslint-plugin from 6.13.2 to 6.19.0
• Bump aws-cdk-lib from 2.100.0 to 2.121.1
• Bump eslint from 8.53.0 to 8.56.0
• Bump ts-node from 10.9.1 to 10.9.2
• Bump typescript from 5.2.2 to 5.3.3
• Bump @types/lodash from 4.14.178 to 4.14.202
• Bump constructs from 10.2.25 to 10.3.0
• Bump typedoc-plugin-keywords from 1.5.0 to 1.6.0

4.1.6

Fixed

• Fixed Region addression in CloudWatch expressions for Dashboard
• Bump @types/aws-lambda from 8.10.124 to 8.10.130
• Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.13.2

Added

• Add Optional setting to Config OverrideCustomerWebACLAssociation - Decide if FMS should replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy - Default is False
• Add Optional setting to Config awsManagedRulesBotControlRuleSetProperty - Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet . See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesbotcontrolruleset.html
• Add Optional setting to Config awsManagedRulesACFPRuleSetProperty - Details for your use of the account creation fraud prevention managed rule group, AWSManagedRulesACFPRuleSet. See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html
• Add Optional setting to Config awsManagedRulesATPRuleSetProperty - Details for your use of the account takeover prevention managed rule group, AWSManagedRulesATPRuleSet. See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesatpruleset.html

4.1.5

Fixed

• Addressed issue with missing WCU Calculation OR statement within AND statement. - Issues232
• Addressed issue with missing WCU Calculation AND statement within OR statement.
• Bump @typescript-eslint/eslint-plugin from 6.7.5 to 6.10.0
• Bump eslint from 8.51.0 to 8.53.0

4.1.4

Added

• Automation for Documentation for the AWS Firewall Factory to assist you in utilizing our solution.
  The documentation will be updated regularly to provide you with the most current information. We also added more comments to functions and enums to provide more information to you. Issue 220
• First preperations to support for Network Firewalls

Fixed

• Console log error if only one Managed Rule Group was specified - the table output was not working for PostProcess.
• Bump @mhlabs/cfn-diagram from 1.1.29 to 1.1.38 -> thanks to ljacobsson for the new release
• Bump @babel/traverse to 7.23.2
• Bump @types/uuid from 9.0.5 to 9.0.7
• Bump @types/node from 18.16.3 to 20.8.10

4.1.3

Added

• Optional Lambda function to prerequisite Stack that send notifications about potential DDoS activity for protected resources to messengers (Slack/Teams) - [AWS Shield Advanced]
• Automated test workflows of example firewalls, to ensure code quality and test coverage

Fixed

• Bump @aws-sdk/client-cloudformation from 3.427.0 to 3.428.0
• Bump @aws-sdk/client-shield from 3.427.0 to 3.428.0
• Bump typescript from 4.9.5 to 5.2.2
• Bump jest from 29.5.0 to 29.7.0
• Bump eslint from 8.48.0 to 8.51.0