Skip to content

feat(cloudfront): support WAF security protections #32021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 22 commits into from
Closed

feat(cloudfront): support WAF security protections #32021

wants to merge 22 commits into from

Conversation

phuhung273
Copy link
Contributor

@phuhung273 phuhung273 commented Nov 5, 2024
edited
Loading

Issue # (if applicable)

Closes #31737

Reason for this change

  • Support WAF one-click security protections

Description of changes

  • Add enableWafCoreProtections boolean to use default WAF security option

Description of how you validated changes

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team November 5, 2024 09:06
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Nov 5, 2024
@phuhung273 phuhung273 marked this pull request as draft November 5, 2024 09:06
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Nov 5, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Nov 5, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@phuhung273 phuhung273 force-pushed the cloudfront-enable-waf branch from c6c0cda to 48b4c10 Compare November 9, 2024 17:19
@phuhung273 phuhung273 marked this pull request as ready for review November 9, 2024 17:19
@phuhung273 phuhung273 changed the title feat(cloudfront): Support WAF security protections feat(cloudfront): support WAF security protections Nov 9, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review November 9, 2024 17:26

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 9, 2024
@gshpychka
Copy link
Contributor

Doesn't the WebACL have to be deployed in us-east-1?

@phuhung273
Copy link
Contributor Author

Doesn't the WebACL have to be deployed in us-east-1?

Yes of course for CloudFront. According to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html

image

@gshpychka
Copy link
Contributor

So what happens if the distribution isn't in us-east-1?

@phuhung273
Copy link
Contributor Author

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

@gshpychka
Copy link
Contributor

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

@phuhung273
Copy link
Contributor Author

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope.

But if we want to associate an ACM certificate to the Distribution, this ACM certificate is required to stay in us-east-1.

@gshpychka
Copy link
Contributor

So what happens if the distribution isn't in us-east-1?

I believe there is no region config for CloudFront Distribution as it is a global resource https://repost.aws/questions/QUM6TvAnMOQ8q8Ej_0-rh_pw/is-cloudfront-works-only-in-virginia-region-us-east-1#AN3zwt4flvSRiXuPaQNWDHKg

I meant what happens if a user sets enableWafCoreProtections to true while deploying the stack to a region that's not us-east-1

Ok got your point now, in that case every other components in the stack will be provisioned in selected region. But the CloudFront Distribution will always be in global scope.

But if we want to associate an ACM certificate to the Distribution, this ACM certificate is required to stay in us-east-1.

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

@phuhung273
Copy link
Contributor Author

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

No, the CfnWebACL wont fail. With scope=CloudFront, it goes to Global. We can check it at WAF > WebACLs

image

@phuhung273
Copy link
Contributor Author

@gshpychka youre rite, lemme have a test deploying entire stack to another region

@phuhung273 phuhung273 force-pushed the cloudfront-enable-waf branch from 48b4c10 to 6fe8d5e Compare November 19, 2024 15:09
@phuhung273
Copy link
Contributor Author

Wouldn't it try to deploy the CfnWebACL in the selected region and fail, since it can only be deployed in us-east-1?

Thanks so much for pointing that out. You're absolutely right. Confirm that enableWafCoreProtections fail to deploy if used outside of us-east-1 .

Looking through Issues, found this similar one #6242.

Added validation to ensure new flag cannot be used outside us-east-1

@gracelu0 gracelu0 added the needs-security-review Related to feature or issues that needs security review label Nov 20, 2024
@phuhung273 phuhung273 requested a review from gracelu0 January 27, 2025 16:20
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 31, 2025 06:10

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

gshpychka
gshpychka reviewed Jan 31, 2025
View reviewed changes
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 31, 2025
@phuhung273 phuhung273 requested a review from gshpychka February 1, 2025 02:51
gshpychka
gshpychka reviewed Feb 5, 2025
View reviewed changes
@samson-keung samson-keung self-assigned this Feb 12, 2025
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

1 similar comment
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@samson-keung samson-keung removed their assignment Mar 3, 2025
@phuhung273 phuhung273 mentioned this pull request Mar 16, 2025
Closed
2 tasks
@godwingrs22 godwingrs22 self-assigned this Mar 18, 2025
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: dce811a
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@phuhung273
Copy link
Contributor Author

Hi all, I've found a similar implementation for creating a cloufront WebAcl #10500 which satisfy 2 requirements:

Although we can replicate the same, I think better to finish off #17749 and reuse WebAcl L2 Contruct here.

@phuhung273 phuhung273 closed this Mar 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 21, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gshpychka gshpychka gshpychka left review comments

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

@gracelu0 gracelu0 Awaiting requested review from gracelu0

Assignees

@godwingrs22 godwingrs22

Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-security-review Related to feature or issues that needs security review p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws_cloudfront: add support for one-click security protections to Distribution
6 participants
@phuhung273 @gshpychka @aws-cdk-automation @gracelu0 @godwingrs22 @samson-keung