aws-samples / amazon-guardduty-waf-acl Goto Github PK

For Organizations that have all their findings aggregated to a central security account it would be awesome (AWSome?) to support managing the VPCs NACLs in those other accounts by leveraging an IAM role.

The cloudwatch logs report information similar to the following:

[INFO] 2019-02-11T18:07:14.908Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- delete rule 74, from NACL acl-f5785d9d.

Soon followed by:

[INFO] 2019-02-11T18:07:15.125Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- add new rule 74, HostIP 184.105.247.194, to NACL acl-f5785d9d.
[INFO] 2019-02-11T18:07:15.125Z 163c15e1-a6e5-4eaa-93f6-8596f99b1646 log -- rule count for NACL acl-f5785d9d is 9.

When I review the Network ACLs, I see the new entry. However, when I review the dynamodb state table the entry is not in the table and the rule count does not agree with the log.

I do not see any errors in the cloudwatch log indicating any issue with connecting or writing to the dynamodb table.

Is there any sort of optimization that needs to be made to the code to guarantee that the dynamodb state table is updated?

The out of sync state table entries cause problems in subsequent invocations of the lambda function.

I am finding I have to manually adjust the NACL entries daily to keep the Network ACL list and the dynamodb state table in sync.

It will be great to have an option to deploy this solution to other regions aside from us-east-1.

Hello,

The code adds WAF rules based on the "ipAddressV4" json element.
My question is how I can be sure that the ipAddressV4 address is not a NAT generated address and by blocking it, I may block a valid customer that will be using the same IP in the future?

Thank you

Uri

Would it be possible to update this to work with the new WAF console? I have an existing ACL created with the new console that I would like to use the IP set with.

Thanks for your work on this!

We have an issue with this. Sometimes we get NACLs with the same IP address and some missing records in Dynamo DB. For example:

and

if I review the Dynamo Table this is what I get

I have already change lambda concurrency to 1.
Below Cloudwatchlogs
13:07:02
START RequestId: 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Version: $LATEST

13:07:02
[INFO] 2019-03-27T18:07:02.288Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 log -- Event: {"version": "0", "id": "24f964e2-345a-d941-3b50-125a6c6d857b", "detail-type": "GuardDuty Finding", "source": "aws.guardduty", "account": "xxxxxxxxxxxx", "time": "2019-03-27T18:07:00Z", "region": "us-east-2", "resources": [], "detail": {"schemaVersion": "2.0", "accountId": "xxxxxxxxxx", "region": "us-east-2", "part

13:07:02
[INFO] 2019-03-27T18:07:02.410Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Found credentials in environment variables.

13:07:03
[INFO] 2019-03-27T18:07:03.311Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Starting new HTTPS connection (1): ec2.us-east-2.amazonaws.com

13:07:03
[INFO] 2019-03-27T18:07:03.611Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 entering update_nacl, netacl_id=acl-7b4a1c12, host_ip=81.22.45.144

13:07:03
[INFO] 2019-03-27T18:07:03.951Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Starting new HTTPS connection (1): dynamodb.us-east-2.amazonaws.com

13:07:04
[INFO] 2019-03-27T18:07:04.469Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Starting new HTTPS connection (1): ec2.us-east-2.amazonaws.com

13:07:04
[ERROR] 2019-03-27T18:07:04.749Z 7943a5b4-4aa5-476a-ac7e-76fb34efeef4 Something went wrong.

13:07:04
An error occurred (NetworkAclEntryAlreadyExists) when calling the CreateNetworkAclEntry operation: The network acl entry identified by 81 already exists.: ClientError Traceback (most recent call last): File "/var/task/lambda_function.py", line 488, in lambda_handler response = update_nacl(netacl_id=NetworkAclId,host_ip=HostIp, region=Region) File "/var/task/lambda_function.py", line 308, i

13:07:04
END RequestId: 7943a5b4-4aa5-476a-ac7e-76fb34efeef4

What could be happening? Struggling with this issue several weeks ago and can't find a solution.
Thanks,

Hi Guys,

I believe there is a bug in the script. When it receives the IP's for a scan they come in as an array. But the script only seems to be blocking the first IP in the array.

This is the offending line:

HostIp = event["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["ipAddressV4"]

portProbeDetails is actually an array of remoteIpDetails that contains more than just one entry. You probably need to loop through this array to block all of the offending IPs. Otherwise you are going to miss a whole bunch of IPs that are attacking you.

I'll attach a patch that I've made but you will probably find a more elegant way to do it with better error handling than my code.

Cheers!

Amazon_GuardDuty_NACL.patch.txt

I am trying to update existing WebACL with new IPSet by passing the existing "IPSet Id" in ALBIpSetId parameter and passing "false" for CloudFrontIPSetId. The expected behavior should update the existing WebACL with new IPSet rules. But, the actual behavior creates new WebACL.

The following snippet (line numbers from code) shows that resources ALBBlacklistIPSet, ALBBlacklistIPSetRule and ALBBlacklistWebACL are created instead of updating even if I pass ALBIPSetId in parameter to update. These resources should look for condition CreateALBWebACL instead of CreateCloudFrontWebACL.

267 ALBBlacklistIPSet:
268 Condition: CreateCloudFrontWebACL

277 ALBBlacklistIPSetRule:
278 Condition: CreateCloudFrontWebACL

290 ALBBlacklistWebACL:
291 Condition: CreateCloudFrontWebACL

it seems resource block should have [] and under that both the resource sould be mentioned

{
"Action": [
"wafv2:GetIPSet",
"wafv2:UpdateIPSet"
],
"Resource": "arn:aws:wafv2:us-east-1:xxxxxxxxxxxxx:global/ipset/CloudFrontBlocklistIPSetV4-xxxxxx/xxxxxxxxxxxx, arn:aws:wafv2:us-east-1:xxxxxxx:regional/ipset/RegionalBlocklistIPSetV4-xxxxxx/xxxxxxxxxxxxxxx",
"Effect": "Allow"
}