Update the solution - Security Automations for AWS WAF
Update considerations

Update the solution

If you previously deployed the solution, follow this procedure to update the solution’s CloudFormation stack to get the latest version of the solution’s framework. Before you update the stack, read Update considerations carefully.

  1. Sign in to the AWS CloudFormation console.

  2. Select Stacks in the left navigation menu.

  3. Select your existing aws-waf-security-automations CloudFormation stack.

  4. Choose Update.

  5. Select Replace current template.

  6. Under Specify template:

    1. Select Amazon S3 URL.

    2. Copy the link of the aws-waf-security-automations.template AWS CloudFormation.

    3. Paste the link in the Amazon S3 URL box.

    4. Verify that the correct template URL shows in the Amazon S3 URL text box.

    5. Choose Next.

    6. Choose Next again.

  7. Under Parameters, review the parameters for the template and modify them as necessary. Refer to Step 1. Launch the stack for details about the parameters.

  8. Choose Next.

  9. On the Configure stack options page, choose Next.

  10. On the Review page, review and confirm the settings.

  11. Select the box acknowledging that the template might create IAM resources.

  12. Choose View change set and verify the changes.

  13. Choose Update stack to deploy the stack.

You can see the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of UPDATE_COMPLETE in approximately 15 minutes.

Update considerations

The following sections provide constraints and considerations for updating this solution.

Resource type update

You must deploy a new stack to update the Endpoint parameter after creating the stack. Don’t change the Endpoint parameter when updating the stack.

WAFV2 upgrade

Starting from version 3.0, this solution supports AWS WAFV2. We replaced all the AWS WAF Classic API calls with AWS WAFV2 API calls. This removes dependencies on Node.js and uses the most up-to-date Python runtime. To continue using this solution with the latest features and improvements, you must deploy version 3.0 or higher as a new stack.

Customizations at stack update

The out-of-box solution deploys a set of AWS WAF rules with default configurations into your AWS account with the CloudFormation stack. We don’t recommend applying customizations to rules deployed by the solution. Stack updates overwrite these changes. If you need customized rules, we recommend creating separate rules outside of the solution.

Bad bot Protection upgrade

In version 4.1.0, the Access Handler Lambda with API Gateway has been deprecated and replaced with enhanced log functionality from the Log parser - Bad bot feature. Instead of using direct requests through API Gateway, the solution now re-uses the log stream to detect bad bots.

Previous Implementation:

  1. Required Access Handler Lambda and API Gateway.

  2. Used honeypot endpoint for direct request handling.

  3. Required embedding honeypot endpoint in websites.

New Implementation (4.1.0+): The Bad Bot Protection log parser now:

  1. Inspects requests to the honeypot endpoint through logs.

  2. Processes requests when Bad Bot Protection is activated.

  3. Uses WAF filter BadBotRuleFilter to identify bad bot requests.

  4. Analyzes log data to identify IP addresses exceeding defined quotas.

  5. Updates AWS WAF IP set conditions to block identified addresses.

This change simplifies the architecture by eliminating duplicate functionality and leveraging existing log processing capabilities.

CDK upgrade

Starting from version v4.1.0, this solution is supported by CDK. If migrating from a version below v4.1.0 . Use the new template and update solution in Cloudformation . Then you can start to update the solution locally via your terminal using cdk deploy (see README for more information) If you try to use cdk deploy directly then you might see this error : Insufficient indentation in flow collection

The other way to update the solution will be to use the template provided by the solution and to go to the Cloudformation section of the AWS console and click update the solution and paste the new template there.

Note

If you are upgrading from version 3.0 or 3.1 to version 3.2 or newer of this solution, and you have manually inserted IP addresses into the allowed or denied IP set, you will be at risk of losing those IP addresses. To prevent that from happening, make a copy of the IP addresses in the allowed or denied IP set before upgrading the solution. Then after you complete the upgrade, add the IP addresses back to the IP set as needed. Refer to the get-ip-set and update-ip-set CLI commands. If you’re already using version 3.2 or newer, ignore this step.