From ac3ca9fa1160a6b895c40a0679b72844daea8fe8 Mon Sep 17 00:00:00 2001
From: kenzhang <pengkz@amazon.com>
Date: Mon, 3 Aug 2020 14:57:00 +0800
Subject: [PATCH] Add Lambda to update the WAFv2 IPSet

---
 .DS_Store                           | Bin 0 -> 10244 bytes
 README.md                           |   6 ++
 update_wafv2_ipset_lambda/README.md | 107 +++++++++++++++++++++++++++
 update_wafv2_ipset_lambda/lambda.py | 111 ++++++++++++++++++++++++++++
 4 files changed, 224 insertions(+)
 create mode 100644 .DS_Store
 create mode 100644 update_wafv2_ipset_lambda/README.md
 create mode 100644 update_wafv2_ipset_lambda/lambda.py

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..0a13387b1a280a815d80976ec57b002f5639db9b
GIT binary patch
literal 10244
zcmeHMU2GIp6h5adFf&k@A_%kmbknBNK!IHX#X`mH4@d<9VOv^CVVT_-+6l8W>(1;J
zT577sp9h2SC-DJ{3Hnx*Clckw#Q2wB{E3Z!Q6KchM<db1Cq4JxX;TU$+7OlG-e&H(
zbI&>Vp8MTzW_s=d0JfK`BtRSh6uOwy7g2SS!u0IAp;SaYDoG@NfDmlRz%ZC_@&;?!
zArX)WNCYGT5&?<8{{aE|X0xI!6jIg_0f~S_U>X7Teu&e>WGa&5Lh@G!RXhbCSw-Ev
zP@D1q?h}t>Dw5+ua#tEtWDgj*Vw7T_a3_77nUhRKa$HE^4k+9KqnR<vP>|0~esOLN
zm=aRf5&?<8jR>&Z-GCAlz@n^uX8vA=&6LYKqzNdi52@{vMIN%uGCLd;vaX*c@2lB@
z>jYsU@fB87R?VBgKvC(hS~->;@`ux*8J2=}vv`!<9W=wCY}D@deRsNTW)C~|a7JI+
z;d`O!cy^IHJC;o*1HF!C`NQpg$+H4JPFg6~JZeUdjgD?<+1eCOCR&nXP4UrWBGJ+m
zZ{B*}*qEv;Z%E$Xbs~ReWc2LVBj?5XF?xr<;#qiHm>U>YkaM%N95&h<uyhBL>71W0
z%m`*KqXgv+u_F~PP3_3n(>tOqG`b$r_GR=XWdiy@A#{8%IBXXKk{Nw*K%3K*^Sy&b
zo9TOVzFW$BK}N61nQpG+nxWn1x@l*`4*Ej-bjVu$fnN+exM4=uOM!jJCOfBWcan9`
z=g@G>Oh<KM(X!Qb_pVQD-Tpx5Wc6K(^_nG`)=zurh0aOGF7^yNRycIT405(-Io@Dz
z*$JGiYj=BQ-mbx?RCV&6<twU<n6YX~HQPne>y^Gz)_J((glG61YibQ`z@kw0`xcwU
z(l0A2*VNY<#!;r}DB4t8io(0sHX2%Yz#=vy!=??I)_sb|rw0@Q3p}}5GkRPzYrDFo
z3b*EMn$cSpNa}l|&K<3q(MNllrzHk8*c5fA+6?13n|YrZga-<?M^Sx5)AQBU8V@SU
z5vFakEQ+c=)hHOjVNmN+iHINyk!&M<7WcpaJ(vY}9G-!5@GP8%*WeOdhIimY_!vHg
z&){?T7Jh`E;a9i@zrpYDCn~rMm*WaFunsrkCQM)p?!*+fVLR@{gLnwj*p0_9hc=$X
zK`h{D9KlgMi%;M=d=8(-7w`g3;2ZcRUc$HVZM=f-;rsXreu0xBzKW@*YyS*FQxm_Z
zYHq}iUNsfRZ$|9cuHD+6|AyG#ED~(Kd+D+@^^F@gZ)<Iv-t}4gJd<#oWr9YWUQ_hp
z8+{#T88eL7N^SM6c;7?pv`;IHV)_DM9go#1#44TB%7`_@)+$7Oy@G4CbuqFu6}?gz
zZ_<(qQCXiSv|F@hmB_AF32lqELm^J<^M!V&mQvZ{sDrp~h^eab&v|+gCg2Ku09T2h
zU&0UY6Z`^yAmRe7;oMw_t8fjj#YS9*>v01%<2GXHc5KC6xEuFi7csRPd$1S#u%DP}
zai%(0!~jcJCdNLBj}c#=#HS<1zKAd5MSOJ@Kf7k}^Yyv$Gw*kHMxR0@@m<d=*G|3L
zHrJ7?+cZ*P=yrTk%ITu#`raU|X6l)~9x{0+5s(N-1SA3y0g1pJhd`x>IL^-hcisB;
z|2uA7GGK{-MBwiufK{F8&UUiD)qnZytUXTG3A$KecH=^F7pj;E>*vSubi<D0`S}I)
iO&we?eJZjW7m|9Y{Odmk+@^yqng7fD-@HTf|Gxkt;l-8!

literal 0
HcmV?d00001

diff --git a/README.md b/README.md
index 15b8e20..52ce0ff 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,12 @@ your security groups that are properly tagged will be updated accordingly.
 
 For more information on ip-ranges.json, read the documentation on [AWS IP Address Ranges](http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html).
 
+## update_security_groups_lambda
+
+This AWS Lambda function is written in Python. It aims to automatically update the WAFv2 IPset when CloudFront IP ranges change.
+
+Setup is similar to what is described in the blog post here, simply replace the Lambda function and ensure the WAFv2 IPSet name contains 'cf-auto-update' - https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/
+
 ## amazon-cloudfront-staging-to-production
 
 This is a python command line script that replicates staging distribution to production.
diff --git a/update_wafv2_ipset_lambda/README.md b/update_wafv2_ipset_lambda/README.md
new file mode 100644
index 0000000..a564309
--- /dev/null
+++ b/update_wafv2_ipset_lambda/README.md
@@ -0,0 +1,107 @@
+# Setup
+Set up of the solution can be refer to this blog post.
+https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/
+
+## Use WAFv2 IPset to restrict ALB or API Gateway ingress traffic to CloudFront IP range only
+
+You could use WAF IPSet based rule to restrict the associated ALB or API Gateway to allow only traffic from the CloudFront IP range. This will reduce the attack surface from network layers if adversaries attempt to DDoS the ALB or API Gateway endpoints directly. 
+
+This Lambda function is to help you update the IPSet IP ranges automatically if CloudFront IP address ever changes using the AWS SNS topic. 
+
+## Configure WAFv2 IPSet 
+The function is looking for IPSet names that contain "cf-auto-update". You can change the keyword in the Python code.
+
+## Event Source
+
+This lambda function is designed to be subscribed to the 
+[AmazonIpSpaceChanged](http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications) 
+SNS topic. In the _Add Event Source_ dialog, select **SNS** in the *Event source type*, and populate *SNS Topic* with `arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged`.
+
+
+## Policy
+
+Here is an example of required Lambda execution role permission policy.
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "wafv2:ListIPSets",
+                "wafv2:UpdateIPSet"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+For more information on ip-ranges.json, read the documentation on [AWS IP Address Ranges](http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html).
+
+## Test Lambda Function
+Now that you have created your function, it’s time to test it and initialize your security group:
+
+1.  In the Lambda console on the Functions page, choose your function, choose the Actions drop-down menu, and then Configure test event.
+2.  Enter the following as your sample event, which will represent an SNS notification.
+
+```
+{
+  "Records": [
+    {
+      "EventVersion": "1.0",
+      "EventSubscriptionArn": "arn:aws:sns:EXAMPLE",
+      "EventSource": "aws:sns",
+      "Sns": {
+        "SignatureVersion": "1",
+        "Timestamp": "1970-01-01T00:00:00.000Z",
+        "Signature": "EXAMPLE",
+        "SigningCertUrl": "EXAMPLE",
+        "MessageId": "95df01b4-ee98-5cb9-9903-4c221d41eb5e",
+        "Message": "{\"create-time\": \"yyyy-mm-ddThh:mm:ss+00:00\", \"synctoken\": \"0123456789\", \"md5\": \"7fd59f5c7f5cf643036cbd4443ad3e4b\", \"url\": \"https://ip-ranges.amazonaws.com/ip-ranges.json\"}",
+        "Type": "Notification",
+        "UnsubscribeUrl": "EXAMPLE",
+        "TopicArn": "arn:aws:sns:EXAMPLE",
+        "Subject": "TestInvoke"
+      }
+    }
+  ]
+}
+```
+3.  After you’ve added the test event, click Save and test. Your Lambda function will be invoked, and you should see log output at the bottom of the console similar to the following.
+<pre>
+Updating from https://ip-ranges.amazonaws.com/ip-ranges.json
+MD5 Mismatch: got <b>2e967e943cf98ae998efeec05d4f351c</b> expected 7fd59f5c7f5cf643036cbd4443ad3e4b: Exception
+Traceback (most recent call last):
+  File "/var/task/lambda_function.py", line 29, in lambda_handler
+    ip_ranges = json.loads(get_ip_groups_json(message['url'], message['md5']))
+  File "/var/task/lambda_function.py", line 50, in get_ip_groups_json
+    raise Exception('MD5 Missmatch: got ' + hash + ' expected ' + expected_hash)
+Exception: MD5 Mismatch: got <b>2e967e943cf98ae998efeec05d4f351c</b> expected 7fd59f5c7f5cf643036cbd4443ad3e4b
+</pre>
+You will see a message indicating there was a hash mismatch. Normally, a real SNS notification from the IP Ranges SNS topic will include the right hash, but because our sample event is a test case representing the event, you will need to update the sample event manually to have the expected hash.
+
+4.  Edit the sample event again, and this time change the md5 hash **that is bold** to be the first hash provided in the log output. In this example, we would update the sample event with the hash “2e967e943cf98ae998efeec05d4f351c”.
+
+
+5.  Click Save and test, and your Lambda function will be invoked.
+
+This time, you should see output indicating your security group was properly updated. If you go back to the EC2 console and view the security group you created, you will now see all the CloudFront IP ranges added as allowed points of ingress. If your log output is different, it should help you identify the issue.
+
+## Configure your Lambda function’s trigger
+After you have validated that your function is executing properly, it’s time to connect it to the SNS topic for IP changes. To do this, use the AWS Command Line Interface (CLI). Enter the following command, making sure to replace <Lambda ARN> with the Amazon Resource Name (ARN) of your Lambda function. You will find this ARN at the top right when viewing the configuration of your Lambda function.
+
+`aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint <Lambda ARN>`
+
+You should receive an ARN of your Lambda function’s SNS subscription. Your Lambda function will now be invoked whenever AWS publishes new IP ranges!
+***
+
+Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
+
+    http://aws.amazon.com/apache2.0/
+
+or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
diff --git a/update_wafv2_ipset_lambda/lambda.py b/update_wafv2_ipset_lambda/lambda.py
new file mode 100644
index 0000000..5e89cff
--- /dev/null
+++ b/update_wafv2_ipset_lambda/lambda.py
@@ -0,0 +1,111 @@
+import boto3
+import hashlib
+import json
+import logging
+import urllib.request, urllib.error, urllib.parse
+import os
+
+def lambda_handler(event, context):
+    # Set up logging
+    if len(logging.getLogger().handlers) > 0:
+        logging.getLogger().setLevel(logging.ERROR)
+    else:
+        logging.basicConfig(level=logging.DEBUG)
+    
+    # Set the environment variable DEBUG to 'true' if you want verbose debug details in CloudWatch Logs.
+    try:
+        if os.environ['DEBUG'] == 'true':
+            logging.getLogger().setLevel(logging.INFO)
+    except KeyError:
+        pass
+
+    # If you want a different service, set the SERVICE environment variable.
+    # It defaults to CLOUDFRONT. Using 'jq' and 'curl' get the list of possible
+    # services like this:
+    # curl -s 'https://ip-ranges.amazonaws.com/ip-ranges.json' | jq -r '.prefixes[] | .service' ip-ranges.json | sort -u 
+    SERVICE = os.getenv( 'SERVICE', "CLOUDFRONT")
+    
+    message = json.loads(event['Records'][0]['Sns']['Message'])
+
+    # Load the ip ranges from the url
+    ip_ranges = json.loads(get_ip_groups_json(message['url'], message['md5']))
+
+    # Extract the service ranges
+    global_cf_ranges = get_ranges_for_service(ip_ranges, SERVICE, "GLOBAL")
+    region_cf_ranges = get_ranges_for_service(ip_ranges, SERVICE, "REGION")
+    cf_ranges = global_cf_ranges + region_cf_ranges
+
+    # Update the WAF IPSet groups
+    result = update_ipset(cf_ranges)
+    
+    return result
+
+def update_ipset(ip_ranges):
+    client = boto3.client('wafv2')
+    target_ip_sets = {}
+    token = []
+    for i in client.list_ip_sets(Scope='REGIONAL')['IPSets']:
+        if 'cf-auto-update' in i['Name']:
+            target_ip_sets.update({i['Name']:i['Id']})
+            token = i['LockToken']
+
+    for k, v in target_ip_sets.items():
+        client.update_ip_set(
+        Name=k,
+        Scope='REGIONAL',
+        Id=v,
+        Addresses=ip_ranges,
+        LockToken=token
+        )
+
+def get_ranges_for_service(ranges, service, subset):
+    
+    service_ranges = list()
+    for prefix in ranges['prefixes']:
+        if prefix['service'] == service and ((subset == prefix['region'] and subset == "GLOBAL") or (subset != 'GLOBAL' and prefix['region'] != 'GLOBAL')):
+            logging.info(('Found ' + service + ' region: ' + prefix['region'] + ' range: ' + prefix['ip_prefix']))
+            service_ranges.append(prefix['ip_prefix'])
+
+    return service_ranges
+
+def get_ip_groups_json(url, expected_hash):
+    
+    logging.debug("Updating from " + url)
+
+    response = urllib.request.urlopen(url)
+    ip_json = response.read()
+
+    m = hashlib.md5()
+    m.update(ip_json)
+    hash = m.hexdigest()
+
+    if hash != expected_hash:
+        raise Exception('MD5 Mismatch: got ' + hash + ' expected ' + expected_hash)
+
+    return ip_json
+
+# This is a handy test event you can use when testing your lambda function.
+'''
+Sample Event From SNS:
+{
+  "Records": [
+    {
+      "EventVersion": "1.0",
+      "EventSubscriptionArn": "arn:aws:sns:EXAMPLE",
+      "EventSource": "aws:sns",
+      "Sns": {
+        "SignatureVersion": "1",
+        "Timestamp": "1970-01-01T00:00:00.000Z",
+        "Signature": "EXAMPLE",
+        "SigningCertUrl": "EXAMPLE",
+        "MessageId": "95df01b4-ee98-5cb9-9903-4c221d41eb5e",
+        "Message": "{\"create-time\": \"yyyy-mm-ddThh:mm:ss+00:00\", \"synctoken\": \"0123456789\", \"md5\": \"45be1ba64fe83acb7ef247bccbc45704\", \"url\": \"https://ip-ranges.amazonaws.com/ip-ranges.json\"}",
+        "Type": "Notification",
+        "UnsubscribeUrl": "EXAMPLE",
+        "TopicArn": "arn:aws:sns:EXAMPLE",
+        "Subject": "TestInvoke"
+      }
+    }
+  ]
+}
+'''
\ No newline at end of file