# Deploy the solution
<a name="deploy-the-solution"></a>

This solution uses [AWS CloudFormation templates and stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html) to automate its deployment. The CloudFormation templates specify the AWS resources included in this solution and their properties. The CloudFormation stack provisions the resources that are described in the templates.

## Deployment process overview
<a name="deployment-process-overview"></a>

Before you launch the CloudFormation template, review the architectural and configuration considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

 **Time to deploy:** Approximately 15 minutes.

**Note**  
If you have previously deployed this solution, see [Update the solution](update-the-solution.md) for update instructions.

 [Prerequisites](prerequisites.md) 
+ Configure a CloudFront distribution
+ Configure an ALB

 [Step 1. Launch the stack](step-1.-launch-the-stack.md) 
+ Launch the CloudFormation template into your AWS account.
+ Enter values for the required parameters: **Stack Name** and **Application Access Log Bucket Name**.
+ Review the other template parameters, and adjust if necessary.

 [Step 2. Associate the web ACL with your web application](step-2.-associate-the-web-acl-with-your-web-application.md) 
+ Associate your CloudFront web distribution(s) or ALB(s) with the web ACL that this solution generates. You can associate as many distributions or load balancers as you want.

 [Step 3. Configure web access logging](step-3.-configure-web-access-logging.md) 
+ Turn on web access logging for your CloudFront web distribution(s) or ALB(s), and send log files to the appropriate Amazon S3 bucket. Save logs in a folder matching the user-defined prefix. If no user-defined prefix is used, save logs to AWSLogs (default log prefix `AWSLogs/`). See the **Application Access Log Bucket Prefix** parameter in [Step 1. Launch the stack](step-1.-launch-the-stack.md) for more information.

# AWS CloudFormation templates
<a name="aws-cloudformation-templates"></a>

This solution includes one main AWS CloudFormation template and two nested templates. You can download the CloudFormation templates before deploying the solution.

## Main stack
<a name="main-stack"></a>

 [https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations.template](https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations.template) **aws-waf-security-automations.template** - Use this template as the entry point to launch the solution in your account. The default configuration deploys an AWS WAF web ACL with preconfigured rules. You can customize the template based on your needs.

## WebACL stack
<a name="webacl-stack"></a>

 [https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations-webacl.template](https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations-webacl.template) **aws-waf-security-automations-webacl.template** - This nested template provisions AWS WAF resources including a web ACL, IP, sets and other associated resources.

## Firehose Athena stack
<a name="firehose-athena-stack"></a>

 [https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations-firehose-athena.template](https://s3.amazonaws.com/solutions-reference/security-automations-for-aws-waf/latest/aws-waf-security-automations-firehose-athena.template) **aws-waf-security-automations-firehose-athena.template** - This nested template provisions resources related to [AWS Glue](https://aws.amazon.com/glue/), Athena, and Firehose. It’s created when you choose either the **Scanner & Probe** Athena log parser or the **HTTP Flood** Lambda or Athena log parser.

**Note**  
AWS CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK) constructs.

This AWS CloudFormation template deploys the Security Automations for AWS WAF solution in the AWS Cloud.

# Prerequisites
<a name="prerequisites"></a>

This solution is designed to work with web applications deployed with CloudFront or an ALB. If you don’t already have one of these resources configured, complete the applicable tasks before you launch this solution.

## Configure a CloudFront distribution
<a name="configure-a-cloudfront-distribution"></a>

Complete the following steps to configure a CloudFront distribution for your web application’s static and dynamic content. Refer to the [Amazon CloudFront Developer Guide](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html) for detailed instructions.

1. Create a CloudFront web application distribution. Refer to [Creating a Distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating-console.html).

1. Configure static and dynamic origins. Refer to [Using various origins with CloudFront distributions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html).

1. Specify your distribution’s behavior. Refer to [Values that you specify when you create or update a distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html).
**Note**  
If you choose `CloudFront` as your endpoint, you must create your WAFV2 resources in the US East (N. Virginia) Region.

## Configure an ALB
<a name="configure-an-alb"></a>

To configure an ALB to distribute incoming traffic to your web application, refer to [Create an Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html) in the *User Guide for Application Load Balancers*.

# Step 1. Launch the stack
<a name="step-1.-launch-the-stack"></a>

This automated AWS CloudFormation template deploys the solution on the AWS Cloud.

1. Sign into [AWS Management Console](https://aws.amazon.com/console) and select the **Launch Solution** to launch `waf-automation-on-aws.template` CloudFormation template.

    [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=WAFSecurityAutomations&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fsecurity-automations-for-aws-waf%2Flatest%2Faws-waf-security-automations.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=WAFSecurityAutomations&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fsecurity-automations-for-aws-waf%2Flatest%2Faws-waf-security-automations.template&redirectId=ImplementationGuide) 

1. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the console navigation bar. If you choose `CloudFront` as your endpoint, you must deploy the solution in the US East (N. Virginia) (`us-east-1`) Region.
**Note**  
Depending on the input parameters values you define, this solution requires different resources. These resources are currently available in specific AWS Regions only. Therefore, you must launch this solution in an AWS Region where these services are available. For more information, refer to [Supported AWS Regions](plan-your-deployment.md#supported-aws-regions).

1. On the **Specify template** page, verify that you selected the correct template and choose **Next**.

1. On the **Specify stack details** page, assign a name to your AWS WAF configuration in the **Stack name** field. This is also the name of the web ACL that the template creates.

1. Under **Parameters**, review the parameters for the template and modify them as necessary. To opt out of a particular feature, choose `none` or `no` as applicable. This solution uses the following default values.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/step-1.-launch-the-stack.html)

1. Choose **Next.** 

1. On the **Configure stack options** page, you can specify tags (key-value pairs) for resources in your stack and set additional options. Choose **Next**.

1. On the **Review and create** page, review and confirm the settings. Select the boxes acknowledging that the template will create IAM resources and any additional capabilities required.

1. Choose **Submit** to deploy the stack.

   View the status of the stack in the AWS CloudFormation console in the **Status** column. You should receive a status of CREATE\$1COMPLETE in approximately 15 minutes.
**Note**  
In addition to the `Log Parser` and `IP Lists Parser` AWS Lambda functions, this solution includes the `helper` and `custom-resource` Lambda functions, which run only during initial configuration or when resources are updated or deleted.  
When using this solution, you will see all functions in the AWS Lambda console, but only the three primary solution functions are regularly active. Don’t delete the other two functions; they are necessary to manage associated resources.

To see details about the stack resources, choose the **Outputs** tab. This includes the **BadBotHoneypotEndpoint** value. Remember this value because you will be used it in [Embed the Honeypot link in your web application](embed-the-honeypot-link-in-your-web-application-optional.md).

# Step 2. Associate the web ACL with your web application
<a name="step-2.-associate-the-web-acl-with-your-web-application"></a>

Update your CloudFront distribution(s) or ALB(s) to activate AWS WAF and logging using the resources you generated in [Step 1. Launch the stack](step-1.-launch-the-stack.md).

1. Sign in to the [AWS WAF console](https://console.aws.amazon.com/wafv2/).

1. Choose the web ACL that you want to use.

1. On the **Associated AWS resources** tab, choose **Add AWS resources**.

1. Under **Resource type**, choose the CloudFront distribution or ALB.

1. Select a resource from the list, then choose **Add** to save your changes.

# Step 3. Configure web access logging
<a name="step-3.-configure-web-access-logging"></a>

Configure CloudFront or your ALB to send web access logs to the appropriate Amazon S3 bucket so that this data is available for the Log Parser Lambda function.

## Store web access logs from a CloudFront distribution
<a name="store-web-access-logs-from-a-cloudfront-distribution"></a>

1. Sign in to the [Amazon CloudFront console](https://console.aws.amazon.com/cloudfront/).

1. Select your web application’s distribution, and choose **Distribution Settings.** 

1. On the **General** tab, choose **Edit**.

1. For **AWS WAF Web ACL**, choose the web ACL solution created (the **Stack name** parameter).

1. For **Logging**, choose **On**.

1. For **Bucket for Logs**, choose the S3 bucket that you want to use for storing web access logs. This can be a new or existing S3 bucket that is used in the main stack and has permission for CloudFront to write logs. The drop-down list enumerates the buckets associated with the current AWS account. For more information, see [Getting started with a basic CloudFront distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.SimpleDistribution.html) in the *Amazon CloudFront Developer Guide*.

1. Set the log prefix to the prefix used for deploying the solution. You can find the prefix in the main stack, **Parameters** tab, **AppAccessLogBucketPrefixParam** (default `AWSLogs/`).

1. Choose **Yes, edit** to save your changes.

For more information, refer to [Configuring and using standard logs (access logs)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html) in the *Amazon CloudFront Developer Guide*.

## Store web access logs from an Application Load Balancer
<a name="store-web-access-logs-from-an-application-load-balancer"></a>

1. Sign in to the [Amazon Elastic Compute Cloud (Amazon EC2) console](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, choose **Load Balancers**.

1. Select your web application’s ALB.

1. On the **Description** tab, choose **Edit attributes**.

1. Choose **Enable access logs**.

1. For **S3 location**, type the name of the S3 bucket that you want to use for storing web access logs. This can be a new or existing S3 bucket that is used in the main stack and has permission for Application Load Balancer to write logs.

1. Set the log prefix to the prefix used for deploying the solution. You can find the prefix in the main stack, **Parameters** tab, **AppAccessLogBucketPrefixParam** (default `AWSLogs/`).

1. Choose **Save**.

For more information, refer to [Access Logs for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html) in the *Elastic Load Balancing User Guide*.