From 846e4c964e9f75a4814808592095d430c561ee6e Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Fri, 27 Sep 2024 11:20:07 +0200 Subject: [PATCH 1/2] Updated-defaults-for-aws_acl-role --- roles/aws/aws_acl/defaults/main.yml | 74 +++++++++++++---------------- 1 file changed, 33 insertions(+), 41 deletions(-) diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index ec0f1a0ac..c9be777d3 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -1,33 +1,24 @@ --- aws_acl: - - name: example_master_acl - description: "Master ACL for CF" + - name: "{{ _infra_name }}_main_acl" + description: "ACL rules from ce-provision-config" scope: CLOUDFRONT # Can be REGIONAL for ALBs region: "us-east-1" - tags: {} + tags: "{{ _aws_tags }}" rules: rate_limit: - value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place ip_sets: - - rule_name: "Allowed-ips" - set_name: "Office-IPs" - description: "List of IPs from office" + - rule_name: "Allowed-IPs-rule" + set_name: "Allowed-IPs-set" + description: "List of IPs from our VPNs - Ansible managed" action: allow - priority: 1 # can be float with 1 decimal place - list: [] # If the list is empty, ip set won't be recreated - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 - - rule_name: "Blocked-IPs" - set_name: "DDOS-list" - description: "List of IPs That were ddosing server" - action: block - priority: 0 - list: [] # If the list is empty, ip set won't be recreated - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 + priority: 1 + list: + - 3.11.82.252/32 # main VPN + - 159.100.242.248/32 # backup VPN, bastion2 + - 3.8.9.162/32 # guest VPN country_codes: - name: "allowed-countries" action: allow @@ -44,34 +35,35 @@ aws_acl: regular_rules: - name: allow_panels action: allow - statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) priority: 4 statements: - - inspect: "UriPath" # Aslo supported: "SingleHeader" + - inspect: "UriPath" # Use: "SingleHeader" or "UriPath" position: "CONTAINS" string: "panels/ajax" text_trans: "NONE" - - name: block_bots - action: block - statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) - priority: 5 - statements: - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "spider" - text_trans: "LOWERCASE" - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "bot" - text_trans: "LOWERCASE" - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "crawl" - text_trans: "LOWERCASE" +# Example for multi header block +# - name: block_bots +# action: block +# statements_type: "or" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) +# priority: 5 +# statements: +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "spider" +# text_trans: "LOWERCASE" +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "bot" +# text_trans: "LOWERCASE" +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "crawl" +# text_trans: "LOWERCASE" # Managed rules list bot_control: enabled: false - target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + target: "COMMON" # "COMMON" or "TARGETED" inspection level priority: 3 cyber_sec: enabled: false # Need to subscribe first in AWS From 7a98ad895d98570f8e86c21ca4fae2561ea61d2b Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Fri, 27 Sep 2024 11:39:50 +0200 Subject: [PATCH 2/2] Removing-Identity-search --- roles/aws/aws_backup_validation/tasks/main.yml | 5 +++-- .../aws/aws_backup_validation/templates/EC2_validation.py.j2 | 3 ++- .../aws/aws_backup_validation/templates/RDS_validation.py.j2 | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index a039cb423..82bc27744 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -37,8 +37,9 @@ ansible.builtin.wait_for: timeout: 20 -- name: Get verified domain. - ansible.builtin.include_tasks: get_valid_email.yml +# Not all clients have verified identity +#- name: Get verified domain. +# ansible.builtin.include_tasks: get_valid_email.yml - name: Clean and set python functions block: diff --git a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 index 2a0316026..00bce56e7 100644 --- a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 @@ -135,7 +135,8 @@ def lambda_handler(event, context): 'Data': 'Lambda Backup validation: ' + mail_title, }, }, - Source='Lambda Backup Validation ', +# Source='Lambda Backup Validation ', + Source='Lambda Backup Validation ', ) return { diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 index 1e15e5795..b166803b7 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 @@ -113,7 +113,8 @@ def lambda_handler(event, context): 'Data': 'Lambda Backup validation: ' + mail_title, }, }, - Source='Lambda Backup Validation ', +# Source='Lambda Backup Validation ', + Source='Lambda Backup Validation ', ) print(json.dumps(event))