Comments (18)
I'll merge a pull request that solve this issue in the next version. Until there, the recomendadion is to use stack name with less than 25 char length.
We're trying to use this as a nested stack in an existing production stack. CF generates the nested stack name by appending a the nested stack name to the main stack name plus a 12 or 13 char random suffix, and existing stacks cannot be renamed.
from aws-waf-security-automations.
I have the same issue, but I may found the reason:
The name of the bucket specified for logs during the installation is not "worldwide unique", as it's an S3 limitation, you have try with another name for "CloudFront Access Log Bucket Name" field.
Explainations:
the error in cloudWatch log is:
"An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied"
In lamda functions and there is one call in SolutionHelper for localisation:
response = s3_client.get_bucket_location(Bucket=bucket_name)
I suppose it will crash with "access denied" if the bucket alerady owns to someone else...
from aws-waf-security-automations.
@hamija: I was experiencing this as well. I changed the way the lambda get the stack name, so that it supports longer names.
This is available in pull request #5
from aws-waf-security-automations.
after a mountain of frustration, found a cloudwatch log entry saying that the bucket was not created during the cloudformation process.
fix is to create the bucket for cloud front access log before running cloud formation, ensuring it is also part of the same region. re-run cloudformation if it failed the first time.
from aws-waf-security-automations.
Following yveshwang's comment, I went to create the bucket and found out that the bucket name I was trying to use was already taken. As a test, rather than create the S3 bucket, I added a unique bucket name to the Stack template, ran it again, and then it completed successfully.
from aws-waf-security-automations.
Hi hamija.
I would say that this is related to Stack Name size restriction. Please note that "The stack name must be less than 25 characters, cannot contain spaces, and must be unique within your AWS account." Ref: http://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/deployment.html
from aws-waf-security-automations.
Having the same issue, tested on the 2 different AWS Account same error message, even though I change the Stack name to a Short one.
from aws-waf-security-automations.
Hi @jrstarke I've applied patch6 but still failing?
from aws-waf-security-automations.
Is there anyone in charge of this code base? There seem to be some good pull requests out there and a need to resolve the long stack names, support the new 10,000 reputation list length and support for both CloudFront and LoadBalancer (Regional) endpoints. It would be great to update the code to support these scenarios.
from aws-waf-security-automations.
We just published an update with some enhancements and ALB support:
https://aws.amazon.com/answers/security/aws-waf-security-automations/
from aws-waf-security-automations.
I am still facing the original issue even after the update (I am using the template for CloudFront). Is there a workaround for now?
Edit:
After a couple of failed retries, the stack managed to complete its process. I really don't know what changed for it to complete. Go figure...
from aws-waf-security-automations.
y86. I'll merge a pull request that solve this issue in the next version. Until there, the recomendadion is to use stack name with less than 25 char length.
from aws-waf-security-automations.
Hi,
This is still and issue and I was able to reproduce this. One of my customers is facing this issue. Is there any solution to this?
from aws-waf-security-automations.
I have tried to follow yveshwang's workaround. I have changed the name of the s3 bucket and it worked. So I believe while creating the CFN stack native s3 API should give you the error right of the bat saying bucket name exists.
from aws-waf-security-automations.
I'm unable to deploy the WAF stack using Cloudformation in eu-central-1
, but it's working in us-east-1
.
Due to #3 (comment) I'm unable to use a bucket created by me (auto created by ALB) in eu-central-1
region as it should be created by the Cloudformation.
Is there any solution, except for a non Cloudformation way?
from aws-waf-security-automations.
I came across this issue too. And it seems it's due to global uniqueness of S3 bucket name. After I changed the S3 bucket name, the creation succeeded.
from aws-waf-security-automations.
Hi,
In the last version we included some updates that should help the issues reported here. The changes are:
All those error messages should be printed directly on CloudFormation Events' tab.
Finally, the way we get the stack name was changed based on what @rniksch suggested in PR #26.
Thank you all for the help!!
from aws-waf-security-automations.
Tired find the solution of it
" Your access has been denied by S3, please make sure your request credentials have permission to GetObject for /aws-waf-security-automations/v2.3.3/helper.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID:
Anyone Please Help :(
from aws-waf-security-automations.
Related Issues (20)
- missing file HOT 1
- Runtime.ImportModuleError: Unable to import module 'helper': No module named 'lib.s3_util' HOT 2
- Need help writing Custom ACL HOT 3
- Most if not all of Lambda functions created by version 4.0.0 contain vulnerability in requests package of Python HOT 1
- Honeypot doesn't detect correct IP address with CloudFront and recommended cache configuration. HOT 4
- 4.0.2 helper.zip not available in cn-north-1 HOT 1
- Failing to create security-automations-for-aws-waf in il-central-1 HOT 3
- Support for Cloudfront realtime logs HOT 2
- Failing to create security-automations-for-aws-waf in il-central-1 HOT 3
- WAFWebACL Drift for Security Automations for AWS WAF Solution HOT 1
- Glue Table for WAF Access Logs is missing some of the log fields (e.g. labels) HOT 4
- allow cloudwatch logs destination for traffic logs, currently only supported target is s3 HOT 8
- Invalid CRON expression `cron(* ? * * * *)` HOT 6
- Can we align the resources to CIS standards from security hub. HOT 1
- Support for COUNT mode for WAF HOT 2
- How to disable managed ruleset options HOT 1
- Add a option to use a existing WebACL HOT 1
- Based on the template https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/aws-cloudformation-templates.html the KeyPrefix: 'security-automations-for-aws-waf/v4.0.3' was associated with Python 3.10. Do you have a release for python 3.11? HOT 1
- S3 Access Denied for eu-central-1 HOT 1
- Unable to upgrade from v3.2.5 to v4.x HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-waf-security-automations.