All notable changes to this project will be documented in this file. The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Update the lambda to python 3.12
- Added a check for payload for logging before sanitizing and logging Github issue 274
- Add poetry.lock to pin dependency versions for Python code
- Adapt build scripts to use Poetry for dependency management
- Replace native Python logger with aws_lambda_powertools logger
- Patched dependency version of
requests
to2.32.3
to mitigate CVE-2024-3651 - Pinned all dependencies to specific versions for reproducable builds and enable security scanning
- Allow to install latest version of
urllib3
as transitive dependency
- Patched urllib3 vulnerability as it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. For more details: CVE-2023-43804
- Update trademarked name. From aws-waf-security-automations.zip to security-automations-for-aws-waf.zip
- Refactor to reduce code complexity
- Patched requests package vulnerability leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. For more details: CVE-2023-32681 Github issue 248
- Updated gitignore files to resolve the issue for missing files Github issue 244 Github issue 243 Github issue 245
- Added support for 10 new AWS Managed Rules rule groups (AMR)
- Added support for country and URI configurations in HTTP Flood Athena log parser
- Added support for user-defined S3 prefix for application access log bucket
- Added support for CloudWatch log retention period configuration
- Added support for multiple solution deployments in the same account and region
- Added support for exporting CloudFormation stack output values
- Replaced the hard coded amazonaws.com with {AWS::URLSuffix} in BadBotHoneypot API endpoint
- Avoid account-wide API Gateway logging setting change by deleting the solution stack GitHub issue 213
- Avoid creating a new logging bucket for an existing app access log bucket that already has logging enabled
- Patch s3 logging bucket settings
- Updated the timeout for requests
- Upgraded pytest to mitigate CVE-2022-42969
- Upgraded requests and subsequently certifi to mitigate CVE-2022-23491
- Add region as prefix to application attribute group name to avoid conflict with name starting with AWS.
- Added AppRegistry integration
- Added support for configuring oversize handling for requests components
- Added support for configuring sensitivity level for SQL injection rule
- Added IP retention support on Allowed and Denied IP Sets
- Bug fixes
- Replaced s3 path-style with virtual-hosted style
- Added partition variable to all ARNs
- Updated bug report
- Added an option to deploy AWS Managed Rules for WebACL on installation
- Upgraded from WAF classic to WAFV2 API
- Eliminated dependency on NodeJS and use Python as the standardized programming language
- Implemented Athena optimization: added partitioning for CloudFront, ALB and WAF logs and Athena queries
- Fixed potential DoS vector within Bad Bots X-Forward-For header
- Fixed README file to accurately reflect script params
- Upgraded from Python 3.7 to 3.8
- Changed RequestThreshold min limit from 2000 to 100
- Fixed error handling of intermittent issue: (WAFStaleDataException) when calling the UpdateWebACL
- Upgrade from Node 8 to Node 10 for Lambda function