Merge pull request #276 from aws-solutions/feature/v4.0.6

Update to version v4.0.6

Author: abewub

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.0.6] - 2024-12-17
+
+### Changed
+
+- Update the lambda to python 3.12
+
+### Fixed
+
+- Added a check for payload for logging before sanitizing and logging  [Github issue 274](https://github.com/aws-solutions/aws-waf-security-automations/issues/274)
+
 ## [4.0.5] - 2024-10-24
 
 ### Changed
@@ -15,13 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [4.0.4] - 2024-09-23
 
 ### Fixed
-- Patched dependency version of `requests` to `2.32.3` to mitigate [CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651)
-- Pinned all dependencies to specific versions for reproducable builds and enable security scanning
-- Allow to install latest version of `urllib3` as transitive dependency
 
-## [4.0.4] - 2024-09-23
-
-### Fixed
 - Patched dependency version of `requests` to `2.32.3` to mitigate [CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651)
 - Pinned all dependencies to specific versions for reproducable builds and enable security scanning
 - Allow to install latest version of `urllib3` as transitive dependency
@@ -53,7 +57,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for 10 new AWS Managed Rules rule groups (AMR)
 - Added support for country and URI configurations in HTTP Flood Athena log parser
 - Added support for user-defined S3 prefix for application access log bucket
-- Added support for CloudWatch log retention period configuration 
+- Added support for CloudWatch log retention period configuration
 - Added support for multiple solution deployments in the same account and region
 - Added support for exporting CloudFormation stack output values
 - Replaced the hard coded amazonaws.com with {AWS::URLSuffix} in BadBotHoneypot API endpoint
@@ -94,9 +98,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Added support for configuring oversize handling for requests components
-- Added support for configuring sensitivity level for SQL injection rule 
+- Added support for configuring sensitivity level for SQL injection rule
 
-## [3.2] - 2021-09-22
+## [3.2.0] - 2021-09-22
 
 ### Added
 
@@ -106,15 +110,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Bug fixes
 
-## [3.1] - 2020-10-22
+## [3.1.0] - 2020-10-22
 
 ### Changed
 
 - Replaced s3 path-style with virtual-hosted style
 - Added partition variable to all ARNs
 - Updated bug report
 
-## [3.0] - 2020-07-08
+## [3.0.0] - 2020-07-08
 
 ### Added
 

NOTICE.txt

@@ -10,45 +10,51 @@ specific language governing permissions and limitations under the License.
 **********************
 THIRD PARTY COMPONENTS
 **********************
+
 This software includes third party software subject to the following copyrights:
 
-freezegun under the Apache Software License
-boto3 under the Apache Software License
-botocore under the Apache Software License
-Mock under the BDS License
-moto under the Apache Software License
-pytest under the MIT License
-pytest-mock under the MIT License
-pytest-cov under the MIT License
-pytest-env under the MIT License
-pyparsing under the MIT License
-pytest-runner under the MIT License
-uuid under the MIT License
-backoff under the MIT License
-requests under the Apache Software License
-certifi under the Mozilla Public License
-charset_normalizer under the Apache Software License
-python-dateutil under the Apache Software License and BSD License
-inda under the BSD License
-urllib3 under the MIT License
-jmespath under the MIT License
-s3transfer under the Apache Software License
-cryptography under the Apache Software License and BSD License
-Werkzeug under the BSD-3-Clause
-xmltodict under the MIT License
-responses under the Apache-2.0
-Jinja2 under the BSD License
-pycparser under the BSD License
-pyyaml under the MIT License
-attrs under the MIT License
-pluggy under the MIT License
-iniconfig under the MIT License
-exceptiongroup under the MIT License
-packaging under the Apache Software License and BSD License
-tomli under the MIT License
-coverage under the Apache Software License
-cffi under the MIT License
-six under the MIT License
-types-PyYAML under the Apache Software License 
-MarkupSafe under the BSD-3-Clause
-typing_extensions under the PSF License and BSD License
+aws-lambda-powertools under the MIT license.
+backoff under the MIT license.
+boto3 under the Apache-2.0 license.
+botocore under the Apache-2.0 license.
+certifi under the MPL-2.0 license.
+cffi under the MIT license.
+charset-normalizer under the MIT license.
+colorama under the 0BSD license.
+coverage under the Apache-2.0 license.
+cryptography under the Apache-2.0 license.
+idna under the 0BSD license.
+iniconfig under the MIT license.
+jinja2 under the 0BSD license.
+jmespath under the MIT license.
+markupsafe under the 0BSD license.
+moto under the Apache-2.0 license.
+packaging under the Apache-2.0 license.
+pluggy under the MIT license.
+pycparser under the 0BSD license.
+pytest under the MIT license.
+pytest-cov under the MIT license.
+pytest-env under the MIT license.
+pytest-mock under the MIT license.
+pytest-runner under the MIT license.
+python-dateutil under the Apache-2.0 license.
+pyyaml under the MIT license.
+requests under the Apache-2.0 license.
+responses under the Apache-2.0 license.
+s3transfer under the Apache-2.0 license.
+six under the MIT license.
+typing-extensions under the PSF-2.0 license.
+urllib3 under the MIT license.
+werkzeug under the 0BSD license.
+xmltodict under the MIT license.
+freezegun under the Apache-2.0 license.
+pyparsing under the MIT license.
+
+********************
+OPEN SOURCE LICENSES
+********************
+
+0BSD - https://spdx.org/licenses/0BSD.html
+Apache-2.0 - https://spdx.org/licenses/Apache-2.0.html
+MPL-2.0 - https://spdx.org/licenses/MPL-2.0.html
+PSF-2.0 - https://spdx.org/licenses/PSF-2.0.html

README.md

@@ -14,7 +14,7 @@
 - [File Structure](#file-structure)
 - [License](#license)
 
-<a name="solution-overview"></a>
+---
 
 # Solution overview
 
@@ -26,14 +26,11 @@ You can install this solution in your AWS accounts by launching the provided AWS
 
 For a detailed solution implementation guide, refer to Solution Landing Page [Security Automations for AWS WAF](https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf).
 
-<a name="architecture-diagram"></a>
+---
 
 # Architecture diagram
 
-<p align="center">
-  <img src="source/image/architecture_diagram.png">
-  <br/>
-</p>
+![Diagram](source/image/architecture_diagram.png)
 
 *Security Automations for AWS WAF architecture*
 
@@ -49,18 +46,17 @@ The components of this solution can be grouped into the following areas of prote
 * **IP Reputation Lists (H)** – This component is the IP Lists Parser Lambda function that checks third-party IP reputation lists hourly for new ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.
 * **Bad Bot (I)** – This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack. 
 
-<a name="customizing-the-solution"></a>
+---
+
 
 # Customizing the solution
 
-<a name="prerequisites-for-customization"></a>
 
 ## Prerequisites for customization
 
 - [AWS Command Line Interface](https://aws.amazon.com/cli/)
-- Python 3.10
-
-<a name="build"></a>
+- Python 3.12
+- Poetry
 
 ## Build
 
@@ -120,7 +116,6 @@ cd <rootDir>/deployment
 chmod +x ./build-s3-dist.sh && ./build-s3-dist.sh $TEMPLATE_OUTPUT_BUCKET $DIST_OUTPUT_BUCKET $SOLUTION_NAME $VERSION
 ```
 
-<a name="upload-deployment-assets"></a>
 
 ## Upload deployment assets
 
@@ -131,7 +126,6 @@ aws s3 cp ./deployment/regional-s3-assets s3://$DIST_OUTPUT_BUCKET-$AWS_REGION/$
 
 **Note:** You must use a proper ACL and profile for the copy operation as applicable. Using randomized bucket names is recommended.
 
-<a name="deploy"></a>
 
 ## Deploy
 
@@ -140,13 +134,13 @@ aws s3 cp ./deployment/regional-s3-assets s3://$DIST_OUTPUT_BUCKET-$AWS_REGION/$
 
 **Note:** When deploying the template for your CloudFront endpoint, you can launch it only from the `us-east-1` Region.
 
-<a name="file-structure"></a>
+---
 
 # File structure
 
 This project consists of microservices that facilitate the functional areas of the solution. These microservices are deployed to a serverless environment in AWS Lambda.
 
-<pre>
+```
 |-deployment/ [folder containing templates and build scripts]
 |-source/
   |-access_handler/         [microservice for processing bad bots honeypot endpoint access. This AWS Lambda function intercepts the suspicious request and adds the source IP address to the AWS WAF block list]
@@ -158,15 +152,16 @@ This project consists of microservices that facilitate the functional areas of t
   |-log_parser/             [microservice for processing access logs searching for suspicious behavior and add the corresponding source IP addresses to an AWS WAF block list]
   |-reputation_lists_parser/ [microservice for processing third-party IP reputation lists and add malicious IP addresses to an AWS WAF block list]
   |-timer/                   [creates a sleep function for cloudformation to pace the creation of ip_sets]
-</pre>
+```
 
-<a name="Collection of operational metrics"></a>
+---
 
 # Collection of operational metrics
 
 This solution collects anonymized operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/reference.html).
 
-<a name="license"></a>
+
+---
 
 # License
 

SECURITY.md

@@ -1,8 +1,9 @@
-Reporting Security Issues
--------------------------------------------------------------------------------------------------------------------------------------------------
-We take all security reports seriously. When we receive such reports, we will investigate and
-subsequently address any potential vulnerabilities as quickly as possible. If you discover a potential
-security issue in this project, please notify AWS/Amazon Security via
-our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or
-directly via email to [AWS Security](mailto:[email protected]). Please do not create a public GitHub issue in this
-project.
+## Reporting Security Issues
+
+We take all security reports seriously. When we receive such reports,
+we will investigate and subsequently address any potential vulnerabilities as 
+quickly as possible. If you discover a potential security issue in this project,
+please notify AWS/Amazon Security via our [vulnerability reporting page]
+(http://aws.amazon.com/security/vulnerability-reporting/) or directly via email 
+to [AWS Security](mailto:[email protected]).
+Please do *not* create a public GitHub issue in this project.

deployment/aws-waf-security-automations-webacl.template

@@ -430,7 +430,7 @@ Resources:
       Code:
         S3Bucket: !Join ['-', [!FindInMap ["SourceCode", "General", "SourceBucket"], !Ref 'AWS::Region']]
         S3Key: !Join ['/', [!FindInMap ["SourceCode", "General", "KeyPrefix"], 'timer.zip']]
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 128
       Timeout: 300
       Environment:

deployment/aws-waf-security-automations.template

@@ -1472,7 +1472,7 @@ Resources:
           LOG_LEVEL: !FindInMap ["Solution", "Data", "LogLevel"]
           SCOPE: !If [AlbEndpoint, 'REGIONAL', 'CLOUDFRONT']
           USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 128
       Timeout: 300
     Metadata:
@@ -1798,7 +1798,7 @@ Resources:
           METRICS_URL: !FindInMap [Solution, Data, MetricsURL]
           USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
           Version: "%VERSION%"
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 512
       Timeout: 300
     Metadata:
@@ -1830,7 +1830,7 @@ Resources:
           KEEP_ORIGINAL_DATA: !Ref KeepDataInOriginalS3Location
           ENDPOINT: !Ref EndpointType
           USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 512
       Timeout: 300
     Metadata:
@@ -1859,7 +1859,7 @@ Resources:
         Variables:
           LOG_LEVEL: !FindInMap ["Solution", "Data", "LogLevel"]
           USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 512
       Timeout: 300
     Metadata:
@@ -1892,7 +1892,7 @@ Resources:
           IP_RETENTION_PERIOD_DENIED_MINUTE: !Ref IPRetentionPeriodDeniedParam
           REMOVE_EXPIRED_IP_LAMBDA_ROLE_NAME: !Ref LambdaRoleRemoveExpiredIP
           USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 128
       Timeout: 300
     Metadata:
@@ -1925,7 +1925,7 @@ Resources:
           METRICS_URL: !FindInMap [Solution, Data, MetricsURL]
           USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
           Version: "%VERSION%"
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 512
       Timeout: 300
     Metadata:
@@ -2107,7 +2107,7 @@ Resources:
       Code:
         S3Bucket: !Join ['-', [!FindInMap ["SourceCode", "General", "SourceBucket"], !Ref 'AWS::Region']]
         S3Key: !Join ['/', [!FindInMap ["SourceCode", "General", "KeyPrefix"], 'reputation_lists_parser.zip']]
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 512
       Timeout: 300
       Environment:
@@ -2215,7 +2215,7 @@ Resources:
           STACK_NAME: !Ref 'AWS::StackName'
           USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
           Version: "%VERSION%"
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 128
       Timeout: 300
     Metadata:
@@ -2409,7 +2409,7 @@ Resources:
           USER_AGENT_EXTRA: !FindInMap [Solution, UserAgent, UserAgentExtra]
           Version: "%VERSION%"
           UUID: !GetAtt CreateUniqueID.UUID
-      Runtime: python3.10
+      Runtime: python3.12
       MemorySize: 128
       Timeout: 300
     Metadata: