Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Lambda to update the WAFv2 IPSet #46

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Lambda to update the WAFv2 IPSet #46

wants to merge 1 commit into from

Conversation

kenpkzhang
Copy link

Issue #, if available:

Description of changes:
You could use WAF IPSet based rule to restrict the associated ALB or API Gateway to allow only traffic from the CloudFront IP range. This will reduce the attack surface from network layers if adversaries attempt to DDoS the ALB or API Gateway endpoints directly.

This Lambda function is to help you update the IPSet IP ranges automatically if CloudFront IP address ever changes using the AWS SNS topic. Set up of the solution can be refer to this blog post.
https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@be-aws-architect
Copy link

Thank you for providing this, this helped me with implementing this for WAFv1 in my environment!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shabbirbabji shabbirbabji shabbirbabji approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kenpkzhang @be-aws-architect @shabbirbabji