feature: add WAF to production (#769)

Co-authored-by: Ran Isenberg <ran.isenberg@ranthebuilder.cloud>

Author: ran-isenberg

README.md

@@ -90,6 +90,7 @@ This project aims to reduce cognitive load and answer these questions for you by
 - AWS Lambda handler 3 layer architecture: handler layer, logic layer and data access layer
 - Features flags and configuration based on AWS AppConfig
 - Idempotent API
+- REST API protected by WAF with four AWS managed rules in production deployment
 - CloudWatch dashboards - High level and low level including CloudWatch alarms
 - Unit, infrastructure, security, integration and end to end tests.
 

cdk/service/api_construct.py

@@ -9,10 +9,11 @@
 import cdk.service.constants as constants
 from cdk.service.api_db_construct import ApiDbConstruct
 from cdk.service.monitoring import CrudMonitoring
+from cdk.service.waf_construct import WafToApiGatewayConstruct
 
 
 class ApiConstruct(Construct):
-    def __init__(self, scope: Construct, id_: str, appconfig_app_name: str) -> None:
+    def __init__(self, scope: Construct, id_: str, appconfig_app_name: str, is_production_env: bool) -> None:
         super().__init__(scope, id_)
         self.id_ = id_
         self.api_db = ApiDbConstruct(self, f'{id_}db')
@@ -25,6 +26,10 @@ def __init__(self, scope: Construct, id_: str, appconfig_app_name: str) -> None:
         )
         self.monitoring = CrudMonitoring(self, id_, self.rest_api, self.api_db.db, self.api_db.idempotency_db, [self.create_order_func])
 
+        if is_production_env:
+            # add WAF
+            self.waf = WafToApiGatewayConstruct(self, f'{id_}waf', self.rest_api)
+
     def _build_api_gw(self) -> aws_apigateway.RestApi:
         rest_api: aws_apigateway.RestApi = aws_apigateway.RestApi(
             self,

cdk/service/service_stack.py

@@ -27,6 +27,7 @@ def __init__(self, scope: Construct, id: str, is_production_env: bool, **kwargs)
             self,
             get_construct_name(stack_prefix=id, construct_name='Crud'),
             self.dynamic_configuration.app_name,
+            is_production_env=is_production_env,
         )
 
         # add security check

cdk/service/waf_construct.py

@@ -0,0 +1,88 @@
+from aws_cdk import aws_apigateway as apigateway
+from aws_cdk import aws_wafv2 as waf
+from constructs import Construct
+
+
+class WafToApiGatewayConstruct(Construct):
+    def __init__(self, scope: Construct, id: str, api: apigateway.RestApi, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create WAF WebACL with AWS Managed Rules
+        web_acl = waf.CfnWebACL(
+            self,
+            'ProductApiGatewayWebAcl',
+            scope='REGIONAL',  # Change to CLOUDFRONT if you're using edge-optimized API
+            default_action=waf.CfnWebACL.DefaultActionProperty(allow={}),
+            name=f'{id}-Waf',
+            visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
+                sampled_requests_enabled=True, cloud_watch_metrics_enabled=True, metric_name='ProductApiGatewayWebAcl'
+            ),
+            rules=[
+                waf.CfnWebACL.RuleProperty(
+                    name='Product-AWSManagedRulesCommonRuleSet',
+                    priority=0,
+                    override_action={'none': {}},
+                    statement=waf.CfnWebACL.StatementProperty(
+                        managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
+                            name='AWSManagedRulesCommonRuleSet', vendor_name='AWS'
+                        )
+                    ),
+                    visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
+                        sampled_requests_enabled=True,
+                        cloud_watch_metrics_enabled=True,
+                        metric_name='Product-AWSManagedRulesCommonRuleSet',
+                    ),
+                ),
+                # Block Amazon IP reputation list managed rule group
+                waf.CfnWebACL.RuleProperty(
+                    name='Product-AWSManagedRulesAmazonIpReputationList',
+                    priority=1,
+                    override_action={'none': {}},
+                    statement=waf.CfnWebACL.StatementProperty(
+                        managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
+                            name='AWSManagedRulesAmazonIpReputationList', vendor_name='AWS'
+                        )
+                    ),
+                    visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
+                        sampled_requests_enabled=True,
+                        cloud_watch_metrics_enabled=True,
+                        metric_name='Product-AWSManagedRulesAmazonIpReputationList',
+                    ),
+                ),
+                # Block Anonymous IP list managed rule group
+                waf.CfnWebACL.RuleProperty(
+                    name='Product-AWSManagedRulesAnonymousIpList',
+                    priority=2,
+                    override_action={'none': {}},
+                    statement=waf.CfnWebACL.StatementProperty(
+                        managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
+                            name='AWSManagedRulesAnonymousIpList', vendor_name='AWS'
+                        )
+                    ),
+                    visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
+                        sampled_requests_enabled=True,
+                        cloud_watch_metrics_enabled=True,
+                        metric_name='Product-AWSManagedRulesAnonymousIpList',
+                    ),
+                ),
+                # rule for blocking known Bad Inputs
+                waf.CfnWebACL.RuleProperty(
+                    name='Product-AWSManagedRulesKnownBadInputsRuleSet',
+                    priority=3,
+                    override_action={'none': {}},
+                    statement=waf.CfnWebACL.StatementProperty(
+                        managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
+                            name='AWSManagedRulesKnownBadInputsRuleSet', vendor_name='AWS'
+                        )
+                    ),
+                    visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
+                        sampled_requests_enabled=True,
+                        cloud_watch_metrics_enabled=True,
+                        metric_name='Product-AWSManagedRulesKnownBadInputsRuleSet',
+                    ),
+                ),
+            ],
+        )
+
+        # Associate WAF with API Gateway
+        waf.CfnWebACLAssociation(self, 'ApiGatewayWafAssociation', resource_arn=api.deployment_stage.stage_arn, web_acl_arn=web_acl.attr_arn)

docs/index.md

@@ -44,6 +44,7 @@ This project aims to reduce cognitive load and answer these questions for you by
 - Features flags and configuration based on AWS AppConfig
 - CloudWatch dashboards - High level and low level including CloudWatch alarms
 - Idempotent API
+- REST API protected by WAF with four AWS managed rules in production deployment
 - Unit, infrastructure, security, integration and E2E tests.
 
 The GitHub template project can be found at [https://github.com/ran-isenberg/aws-lambda-handler-cookbook](https://github.com/ran-isenberg/aws-lambda-handler-cookbook){:target="_blank" rel="noopener"}.

package-lock.json

@@ -1,5 +1,5 @@
 {
     "dependencies": {
-        "aws-cdk": "2.103.1"
+        "aws-cdk": "2.104.0"
     }
 }