ss2pl is a small script that updates the rules of an AWS Prefix List to match the IPs of an Akamai SiteShield Map.
The program does the following actions:
- Retrieve the list of SiteShield Maps from Akamai
- Only process the maps which:
- Are not acknowledged
- Have an entry in the program's configuration
- For each of the processed maps, do the following:
- If the list of proposed CIDRs is empty, skip it and log a warning.
- Compute the new IPs to add
- Compute the old IPs to remove
- Update the prefix list
- Acknowledge the SiteShield Map change if the Prefix List update was successful.
Configuration is read from an AWS Secret. The program must be told how to reach that secret either through ENV vars or
through an .env file, located in the CWD:
AWS_SECRET_NAME=some_secret/dev
AWS_SECRET_REGION=us-east-1
AWS_PROFILE=some_aws_profile # this is optionalThe configuration is expected to be valid JSON (it's parsed by Python's
json.loads function).
The following is the expected layout:
akamai: Akamai-related configuration object. The fields can be obtained from Akamai identity pageaccess_tokenclient_tokenclient_secrethost: must start with a scheme, usuallyhttps://
ss_to_pl: A mapping of SiteShield Map ids to AWS Prefix List Definitions<site_shield_map_id>:name: a PrefixList name, used for logging purposesprefix_list_id: the AWS Prefix List id, as defined on AWSdescriptionoptional: description to add to the PrefixList rules, defaults to SiteShield if emptyregion_name: AWS region where the PrefixList livesaccountoptional: object describing an AWS account if the PrefixList isn't in the base accountname: AWS Account name, used for logging purposesid: The 12-digit ID of the accountrole_name: the name of the role to be assumed
Example JSON config:
{
"akamai": {
"client_secret": "=_akamai_client_secret_=",
"host": "https://akab-some-host-name.luna.akamaiapis.net",
"access_token": "akab-some-access-token",
"client_token": "akab-some-client-token"
},
"ss_to_pl": {
"1234567": {
"name": "Prefix List Name",
"prefix_list_id": "pl-1234567890abdefab",
"region_name": "eu-west-3",
"account": {
"name": "some-account-name",
"id": 123456789012,
"role_name": "role-name-to-assume"
}
}
}
}In order to function, the program needs to be able to call the relevant AWS APIs, namely those centered around EC2 Prefix Lists. This authorisation has to be added to any role that will be used to interact with a Prefix List. Below is an example of a minimal policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeManagedPrefixLists",
"ec2:GetManagedPrefixListEntries",
"ec2:ModifyManagedPrefixList"
],
"Resource": "arn:aws:ec2:eu-west-3:123456789123:prefix-list/pl-0123456789abcdef0"
}
]
}The program will also need to be able to read its configuration from AWS Secret Manager. This has to be added to the base role. Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:eu-west-3:123456789012:secret:super-secret/dev-*"
}
]
}On Akamai you'll have to create an API client. As this application shouldn't be tied to a particular human user, I'd recommend creating a new API Service Account. This client can then have multiple "Authorized users" who may manage it.
You'll need to create a new Client Token and fetch the client secret.
The program requires read-write level access to the SiteShield API. Write is required for acknowledging the change. You'll also have to add the Editor Role for the groups containing the SiteShield APIs you want to manage.
As this is made mainly for my own use, there are some limitations. Namely:
- Only one set of Akamai credentials can be loaded at a time. If you need multiple Akamai credentials, you'll have to run multiple instances.
- Only one Managed Prefix List per Site Shield Map is supported.
- The program is expected to run on AWS using an Instance/Task role as the starting point for authentication to AWS. In case the program runs somewhere else, there is basic support for the AWS_PROFILE environment variable. If this variable is used, it expects to find the credentials in the usual places. Refer to the AWS Docs for more information.
- It doesn't attempt to be smart, so you may configure the same Prefix List multiple times. It will then be modified multiple times.
This program is distributed under the terms of the 3-Clause BSD License.