Update to version v3.2.1

aws-solutions · Aug 29, 2022 · d7dcb32 · d7dcb32
1 parent 8ad3681
commit d7dcb32
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 73 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.1] - 2022-08-30
+### Added
+- Added support for configuring oversize handling for requests components
+- Added support for configuring sensitivity level for SQL injection rule 
 ## [3.2] - 2021-09-22
 ### Added
 - Added IP retention support on Allowed and Denied IP Sets

diff --git a/NOTICE.txt b/NOTICE.txt
@@ -1,4 +1,4 @@
-AWS WAF Security Automations
+Security Automations for AWS WAF
 
 Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except

diff --git a/README.md b/README.md
@@ -17,13 +17,13 @@ Note: If you want to use the solution without building from source, navigate to
 <a name="solution-overview"></a>
 # Solution Overview
 
-The AWS DevOps Monitoring Dashboard solution is a reference implementation that automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). Once deployed, AWS WAF protects your Amazon CloudFront distributions or Application Load Balancers by inspecting web requests.
+The Security Automations for AWS WAF solution is a reference implementation that automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). Once deployed, AWS WAF protects your Amazon CloudFront distributions or Application Load Balancers by inspecting web requests.
 
 You can use AWS WAF to create custom, application-specific rules that block attack patterns to ensure application availability, secure resources, and prevent excessive resource consumption.
 
 This solution can be easily installed in your AWS accounts via launching the provided AWS CloudFormation template.
 
-For a detailed solution implementation guide, refer to Solution Landing Page [AWS WAF Security Automations](https://aws.amazon.com/solutions/implementations/aws-waf-security-automations)
+For a detailed solution implementation guide, refer to Solution Landing Page [Security Automations for AWS WAF](https://aws.amazon.com/solutions/implementations/aws-waf-security-automations)
 
 <a name="architecture-diagram"></a>
 # Architecture Diagram
@@ -33,7 +33,7 @@ For a detailed solution implementation guide, refer to Solution Landing Page [AW
   <br/>
 </p>
 
-AWS WAF Security Automations architecture
+Security Automations for AWS WAF architecture
 
 AWS Managed Rules (A): This set of AWS managed core rules provides protection against exploitation of a wide range of common application vulnerabilities or other unwanted traffic.
 
@@ -121,7 +121,7 @@ aws s3 cp ./deployment/regional-s3-assets s3://$DIST_OUTPUT_BUCKET-$AWS_REGION/$
 ## Deploy
 
 * From your designated Amazon S3 bucket where you uploaded the deployment assets, copy the link location for the aws-waf-security-automations.template.
-* Using AWS CloudFormation, launch the AWS WAF Security Automations solution stack using the copied Amazon S3 link for the aws-waf-security-automations.template.
+* Using AWS CloudFormation, launch the Security Automations for AWS WAF solution stack using the copied Amazon S3 link for the aws-waf-security-automations.template.
 
 #### _Note:_ When deploying the template for CloudFront endpoint, you can launch it only from us-east-1 region.
 
@@ -152,4 +152,4 @@ This solution collects anonymous operational metrics to help AWS improve the qua
 <a name="license"></a>
 # License
 
-See license [here](https://github.com/awslabs/aws-waf-security-automations/blob/master/LICENSE.txt)
+See license [here](https://github.com/awslabs/aws-waf-security-automations/blob/master/LICENSE.txt)
diff --git a/deployment/aws-waf-security-automations-webacl.template b/deployment/aws-waf-security-automations-webacl.template
@@ -1,15 +1,5 @@
-# Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License").
-# You may not use this file except in compliance with the License.
-# A copy of the License is located at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# or in the "license" file accompanying this file. This file is distributed
-# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
-# express or implied. See the License for the specific language governing
-# permissions and limitations under the License.
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
 
 AWSTemplateFormatVersion: 2010-09-09
 Description: >-
@@ -49,20 +39,42 @@ Parameters:
     Type: String
   LogLevel:
     Type: String
+  SqlInjectionProtectionSensitivityLevelParam:
+    Type: String
 
 Conditions:
   AWSManagedRulesActivated: !Equals
     - !Ref ActivateAWSManagedRulesParam
     - 'yes'
+
+  SqlInjectionProtectionActivated:  !Not [!Equals [!Ref ActivateSqlInjectionProtectionParam, 'no']]
+
+  CrossSiteScriptingProtectionActivated: !Not [!Equals [!Ref ActivateCrossSiteScriptingProtectionParam, 'no']]
 
-  SqlInjectionProtectionActivated: !Equals
+  SqlInjectionProtectionContinueActivated: !Equals
     - !Ref ActivateSqlInjectionProtectionParam
     - 'yes'
 
-  CrossSiteScriptingProtectionActivated: !Equals
+  SqlInjectionProtectionMatchActivated: !Equals
+    - !Ref ActivateSqlInjectionProtectionParam
+    - 'yes - MATCH'
+
+  SqlInjectionProtectionNoMatchActivated: !Equals
+    - !Ref ActivateSqlInjectionProtectionParam
+    - 'yes - NO_MATCH'
+
+  CrossSiteScriptingProtectionContinueActivated: !Equals
     - !Ref ActivateCrossSiteScriptingProtectionParam
     - 'yes'
 
+  CrossSiteScriptingProtectionMatchActivated: !Equals
+    - !Ref ActivateCrossSiteScriptingProtectionParam
+    - 'yes - MATCH'
+
+  CrossSiteScriptingProtectionNoMatchActivated: !Equals
+    - !Ref ActivateCrossSiteScriptingProtectionParam
+    - 'yes - NO_MATCH'
+
   HttpFloodProtectionRateBasedRuleActivated: !Equals
     - !Ref ActivateHttpFloodProtectionParam
     - 'yes - AWS WAF rate based rule'
@@ -532,14 +544,23 @@ Resources:
                           Type: URL_DECODE
                         - Priority: 2
                           Type: HTML_ENTITY_DECODE
+                      SensitivityLevel: !Ref SqlInjectionProtectionSensitivityLevelParam
                   - SqliMatchStatement:
                       FieldToMatch:
-                        Body: {}
+                        Body: 
+                          # Select the option based on user input
+                          OversizeHandling:
+                            !If [SqlInjectionProtectionContinueActivated, 'CONTINUE', 
+                              !If [SqlInjectionProtectionMatchActivated, 'MATCH', 
+                                !If [SqlInjectionProtectionNoMatchActivated, 'NO_MATCH', 'CONTINUE']
+                              ]
+                            ]
                       TextTransformations:
                         - Priority: 1
                           Type: URL_DECODE
                         - Priority: 2
                           Type: HTML_ENTITY_DECODE
+                      SensitivityLevel: !Ref SqlInjectionProtectionSensitivityLevelParam
                   - SqliMatchStatement:
                       FieldToMatch:
                         UriPath: {}
@@ -548,6 +569,7 @@ Resources:
                           Type: URL_DECODE
                         - Priority: 2
                           Type: HTML_ENTITY_DECODE
+                      SensitivityLevel: !Ref SqlInjectionProtectionSensitivityLevelParam
                   - SqliMatchStatement:
                       FieldToMatch:
                         SingleHeader: {Name: "Authorization"}
@@ -556,6 +578,7 @@ Resources:
                           Type: URL_DECODE
                         - Priority: 2
                           Type: HTML_ENTITY_DECODE
+                      SensitivityLevel: !Ref SqlInjectionProtectionSensitivityLevelParam
                   - SqliMatchStatement:
                       FieldToMatch:
                         SingleHeader: {Name: "Cookie"}
@@ -564,6 +587,7 @@ Resources:
                           Type: URL_DECODE
                         - Priority: 2
                           Type: HTML_ENTITY_DECODE
+                      SensitivityLevel: !Ref SqlInjectionProtectionSensitivityLevelParam
           - !Ref 'AWS::NoValue'
         - !If
           - CrossSiteScriptingProtectionActivated
@@ -588,7 +612,14 @@ Resources:
                           Type: HTML_ENTITY_DECODE
                   - XssMatchStatement:
                       FieldToMatch:
-                        Body: {}
+                        Body: 
+                          OversizeHandling:
+                            # Select the option based on user input
+                            !If [CrossSiteScriptingProtectionContinueActivated, 'CONTINUE', 
+                              !If [CrossSiteScriptingProtectionMatchActivated, 'MATCH', 
+                                !If [CrossSiteScriptingProtectionNoMatchActivated, 'NO_MATCH', 'CONTINUE']
+                              ]
+                            ]
                       TextTransformations:
                         - Priority: 1
                           Type: URL_DECODE