Running the script through cloudformation stack fails to create the Custom::WafWebAclRuleControler about aws-waf-security-automations HOT 18 CLOSED

@hvital

I'll merge a pull request that solve this issue in the next version. Until there, the recomendadion is to use stack name with less than 25 char length.

We're trying to use this as a nested stack in an existing production stack. CF generates the nested stack name by appending a the nested stack name to the main stack name plus a 12 or 13 char random suffix, and existing stacks cannot be renamed.

from aws-waf-security-automations.

I have the same issue, but I may found the reason:
The name of the bucket specified for logs during the installation is not "worldwide unique", as it's an S3 limitation, you have try with another name for "CloudFront Access Log Bucket Name" field.

Explainations:
the error in cloudWatch log is:
"An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied"
In lamda functions and there is one call in SolutionHelper for localisation:
response = s3_client.get_bucket_location(Bucket=bucket_name)
I suppose it will crash with "access denied" if the bucket alerady owns to someone else...

from aws-waf-security-automations.

@hamija: I was experiencing this as well. I changed the way the lambda get the stack name, so that it supports longer names.

This is available in pull request #5

from aws-waf-security-automations.

after a mountain of frustration, found a cloudwatch log entry saying that the bucket was not created during the cloudformation process.

fix is to create the bucket for cloud front access log before running cloud formation, ensuring it is also part of the same region. re-run cloudformation if it failed the first time.

from aws-waf-security-automations.

Following yveshwang's comment, I went to create the bucket and found out that the bucket name I was trying to use was already taken. As a test, rather than create the S3 bucket, I added a unique bucket name to the Stack template, ran it again, and then it completed successfully.

from aws-waf-security-automations.

Hi hamija.

I would say that this is related to Stack Name size restriction. Please note that "The stack name must be less than 25 characters, cannot contain spaces, and must be unique within your AWS account." Ref: http://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/deployment.html

from aws-waf-security-automations.

Having the same issue, tested on the 2 different AWS Account same error message, even though I change the Stack name to a Short one.

from aws-waf-security-automations.

Hi @jrstarke I've applied patch6 but still failing?

from aws-waf-security-automations.

Is there anyone in charge of this code base? There seem to be some good pull requests out there and a need to resolve the long stack names, support the new 10,000 reputation list length and support for both CloudFront and LoadBalancer (Regional) endpoints. It would be great to update the code to support these scenarios.

from aws-waf-security-automations.

We just published an update with some enhancements and ALB support:
https://aws.amazon.com/answers/security/aws-waf-security-automations/

from aws-waf-security-automations.

I am still facing the original issue even after the update (I am using the template for CloudFront). Is there a workaround for now?

Edit:
After a couple of failed retries, the stack managed to complete its process. I really don't know what changed for it to complete. Go figure...

from aws-waf-security-automations.

y86. I'll merge a pull request that solve this issue in the next version. Until there, the recomendadion is to use stack name with less than 25 char length.

from aws-waf-security-automations.

Hi,

This is still and issue and I was able to reproduce this. One of my customers is facing this issue. Is there any solution to this?

from aws-waf-security-automations.

I have tried to follow yveshwang's workaround. I have changed the name of the s3 bucket and it worked. So I believe while creating the CFN stack native s3 API should give you the error right of the bat saying bucket name exists.

from aws-waf-security-automations.

I'm unable to deploy the WAF stack using Cloudformation in eu-central-1, but it's working in us-east-1.

Due to #3 (comment) I'm unable to use a bucket created by me (auto created by ALB) in eu-central-1 region as it should be created by the Cloudformation.

Is there any solution, except for a non Cloudformation way?

from aws-waf-security-automations.

I came across this issue too. And it seems it's due to global uniqueness of S3 bucket name. After I changed the S3 bucket name, the creation succeeded.

from aws-waf-security-automations.

Hi,

In the last version we included some updates that should help the issues reported here. The changes are:

• Check if the bucket exists and you have access to it. here
• If they are in the same region. here

All those error messages should be printed directly on CloudFormation Events' tab.

Finally, the way we get the stack name was changed based on what @rniksch suggested in PR #26.

Thank you all for the help!!

from aws-waf-security-automations.

Tired find the solution of it
" Your access has been denied by S3, please make sure your request credentials have permission to GetObject for /aws-waf-security-automations/v2.3.3/helper.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID:

Anyone Please Help :(

from aws-waf-security-automations.