Deploying a CloudFront WAF with AWS CDK and Typescript

Greetings to everybody!

After reading this blog, you will be able to create a Cloudfront WAF using Typescript and AWS CDK, including the ability to analyse AWS WAF logs using Amazon OpenSearch Service.

The code to deploy AWS Web Application Firewall, OpenSearch Service & Kinesis Data Firehose Delivery Stream is provided below:

The code to deploy Cloudfront is provided below:

Please see below the explanation and the implementation needed following a successful deployment:

• Creating an IP Set which consists of VPC CIDR and Elastic IPs
• Creating a sample regex pattern that can be used in customer-managed rules
• Creating a sample set of rules that will be used by WebACL afterward

AllowInternalTraffic
IPRateLimitingRule
AWS-AWSManagedRulesCommonRuleSet
AWS-AWSManagedRulesBotControlRuleSet
AWS-AWSManagedRulesWordPressRuleSet
AWS-AWSManagedRulesKnownBadInputsRuleSet
AWS-AWSManagedRulesUnixRuleSet
AWS-AWSManagedRulesSQLiRuleSet

• Creating an OpenSearch service to enable WAF logging, deploying it on a private subnet, making it accessible only through a VPN, enabling the advanced security option, and storing the OpenSearch master credentials in a secret manager.
• Creating a Kinesis Data Firehose Delivery Stream which will PUT the weekly index to OpenSearch and AllDocuments to S3Bucket.

Further Steps:

1. Connect to the OpenSearch service via Client VPN and login with the master credentials stored inside seceret manager.

Login Page

2. Go to Security-> Roles-> all_access-> Map User-> Backend Roles-> Add IAM Role ARN assigned to Kinesis

Roles

Map Kinesis IAM User ARN

While OpenSearch can classify the majority of the fields from the AWS WAF logs automatically, you must instruct OpenSearch on how to interpret fields with certain formatting. In order for OpenSearch to recognise AWS WAF logs and classify the data appropriately, you should construct an index pattern template before you start delivering logs to it.

Two fields from the logs are defined by the pattern template. It will let OpenSearch know that the timestamp field uses epoch time and that the httpRequest.clientIp field uses an IP address format. The classification of all other log fields will happen automatically.

3. Go to Dev Tools-> Add the index template provided as shown below in the screenshot.

Dev Tools Logs Template

CDN Code Explanation:

• The origin associated to this CDN is ALB.
• CDN must be set up after WAF deployment because it requires the WebACL Id as input.

4. Following a successful implementation, As illustrated in the screenshot below, navigate to your Route53 hosted zone and add an A record.

A Record Route53

5. Go back to Open Search -> Stack Management -> Create an index pattern. (The index won’t be available until traffic has begun flowing via the CDN.)-> Discover Tab

Any field in the AWS WAF logs may be used as the basis for a search. You may, for instance, search for particular HTTP headers, query strings, or source IP addresses to learn what action was taken on them.

Define Index Pattern

Create Index Pattern

Discover Logs

Sample Attack Request

Conclusion

I gave an example of how to deploy a WAF, CDN, OpenSearch, etc. using the AWS CDK in this post and how to set up Amazon OpenSearch Service as a destination for AWS WAF logs and perform searches on the log data.

The ALB, VPN, and other services weren’t included because the article was getting too long.

Please share your thoughts about this blog post in the comments box below. Reach out to me on Twitter at @adiintify if you have any questions or require access to the entire repository.