https://github.com/awslabs/anfw-automate

Automate rule management for AWS Network Firewall

https://github.com/awslabs/anfw-automate

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (8.3%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Automate rule management for AWS Network Firewall

Basic Info
  • Host: GitHub
  • Owner: awslabs
  • License: apache-2.0
  • Language: Python
  • Default Branch: main
  • Homepage:
  • Size: 521 KB
Statistics
  • Stars: 15
  • Watchers: 4
  • Forks: 1
  • Open Issues: 0
  • Releases: 3
Created over 2 years ago · Last pushed 11 months ago
Metadata Files
Readme Changelog Contributing License Code of conduct

README.md

Automate AWS Network Firewall Rule Management

An event-based serverless application that automatically performs CRUD operations on AWS Network Firewall rule-groups and rules based on distributed configuration files. The application consist of three modules:

  1. VPC (Optional) Creates VPC based on configuration using AWS CodePipeline. Not required if you already have existing VPC in AWS Network Firewall and Application account.

  2. Firewall (Optional) Creates AWS Network Firewall endpoints, and updates the routing tables of VPCs as configured. This requires Transit Gateway to be configured for the account and already attached to the AWS Network Firewall VPC. Not required, if you have existing AWS Network Firewall Setup.

  3. Application Creates a event-based serverless application that updates the rules and rule-groups attached to the AWS Network Firewall managed by the application. The rules are must be maintained in application managed S3 buckets. There is no limit on number of distributed configurations. The deployment is based on the configurations.

PRE-REQUISITES

  • Atleast two AWS Accounts are required as follows:
    • Application Account (Dev)- to deploy any of the modules above in development environment.
    • Resource Account - to deploy CICD pipeline for application deployment

NOTE: Please add more Application accounts per environment to ensure appropriate resource isolation

  • Other optional AWS Accounts are required depending upon your setup:
    • Delegated Admin Account - to managed spoke account using StackSets
    • Spoke Account - to test the application by mocking customer with distributed AWS Network Firewall configuration.

DEPLOYMENT

PREPARE

  • Install npm
  • Create deploy_vars.sh in root of repository using following template. Not all paramters are required, please add/delete parameters based on your AWS Account Setup.

NOTE: STAGE and AWS_REGION parameters are mandatory. The deployment loads configuration and names resources created by all CDK stacks using these variable. Consider the STAGE variable as representing your application environment i.e. dev, pre-prod, prod, etc.

```

!/bin/bash

Resource Account configuration

export ACCOUNTRES=111122223333; export RESACCOUNTAWSPROFILE=deployer+res;

Prod Application Account configuration

export ACCOUNTPROD=222233334444; export PRODACCOUNTAWSPROFILE=deployer+app;

Delegated Admin Account configuration

export ACCOUNTDELEGATEDADMIN=333344445555; export DELEGATEDADMINACCOUNTAWSPROFILE=admin+dadmin;

Configure deployment

export AWSPROFILE=${RESACCOUNTAWSPROFILE} export STAGE=xxx export AWS_REGION=xx-yyyy-1 `` * Create a file named.jsonin [conf](conf/) folder matching the name of theSTAGE` variable. This configuration is the global configuration used by all the stacks.

DEPLOY

Proceed to deploy the necessary modules by following their respecitve README sections: * app * firewall * vpc

Other Useful commands

  • npm run build compile typescript to js
  • npm run watch watch for changes and compile
  • npm run test perform the jest unit tests
  • cdk deploy deploy this stack to your default AWS account/region
  • cdk diff compare deployed stack with current state
  • cdk synth emits the synthesized CloudFormation template

DEPENDENCIES

This list of dependencies are needed to build the project. These packages are not part of the solution.

Python dependencies

| Package | Version | |------------------------|----------| | aws-lambda-powertools | ^2.25.1 | | aws-xray-sdk | ^2.12.0 | | jsonschema | ^4.19.1 | | python | ^3.11 | | pyyaml | ^6.0.1 | | requests | ^2.31.0 | | pytest | ^8.0.2 | | bandit | ^1.7.7 | | pip-audit | ^2.7.2 | | pip-licenses | ^4.3.4 | | boto3 | ^1.34.52 | | cfnresponse | ^1.1.2 |

Typescript dependencies

| Package | Version | |-----------------------------------|---------------| | @types/jest | ^29.5.12 | | @types/node | 20.11.30 | | aws-cdk | 2.135.0 | | jest | ^29.7.0 | | ts-jest | ^29.1.2 | | ts-node | ^10.9.2 | | typescript | ~5.4.3 | | @aws-cdk/aws-lambda-python-alpha | ^2.135.0-alpha.0 | | aws-cdk-lib | 2.135.0 | | cdk-nag | ^2.28.82 | | constructs | ^10.0.0 | | source-map-support | ^0.5.21 | | ajv | ^8.12.0 | | ajv-formats | ^3.0.1 |

APPENDIX

Please refer the GLOSSARY before creating any configuration files

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Owner

  • Name: Amazon Web Services - Labs
  • Login: awslabs
  • Kind: organization
  • Location: Seattle, WA

AWS Labs

GitHub Events

Total
  • Watch event: 3
  • Delete event: 12
  • Issue comment event: 1
  • Push event: 9
  • Pull request review event: 2
  • Pull request event: 15
  • Fork event: 1
  • Create event: 7
Last Year
  • Watch event: 3
  • Delete event: 12
  • Issue comment event: 1
  • Push event: 9
  • Pull request review event: 2
  • Pull request event: 15
  • Fork event: 1
  • Create event: 7

Issues and Pull Requests

Last synced: 10 months ago

All Time
  • Total issues: 0
  • Total pull requests: 21
  • Average time to close issues: N/A
  • Average time to close pull requests: 6 days
  • Total issue authors: 0
  • Total pull request authors: 3
  • Average comments per issue: 0
  • Average comments per pull request: 0.05
  • Merged pull requests: 16
  • Bot issues: 0
  • Bot pull requests: 17
Past Year
  • Issues: 0
  • Pull requests: 10
  • Average time to close issues: N/A
  • Average time to close pull requests: 16 days
  • Issue authors: 0
  • Pull request authors: 1
  • Average comments per issue: 0
  • Average comments per pull request: 0.0
  • Merged pull requests: 6
  • Bot issues: 0
  • Bot pull requests: 10
Top Authors
Issue Authors
Pull Request Authors
  • dependabot[bot] (27)
  • ajusec (5)
  • sbidy (2)
Top Labels
Issue Labels
Pull Request Labels
dependencies (27) javascript (8) python (6)

Dependencies

package-lock.json npm
  • 344 dependencies
package.json npm
  • @types/jest ^29.5.4 development
  • @types/node 20.5.7 development
  • aws-cdk 2.94.0 development
  • jest ^29.6.4 development
  • ts-jest ^29.1.1 development
  • ts-node ^10.9.1 development
  • typescript ~5.2.2 development
  • @aws-cdk/aws-lambda-python-alpha ^2.97.0-alpha.0
  • ajv ^8.12.0
  • aws-cdk-lib ^2.94.0
  • cdk ^2.97.0
  • cdk-nag ^2.27.137
  • constructs ^10.0.0
  • fs ^0.0.1-security
  • source-map-support ^0.5.21
app/poetry.lock pypi
  • attrs 23.1.0
  • aws-lambda-powertools 2.26.1
  • aws-xray-sdk 2.12.1
  • bandit 1.7.5
  • boolean-py 4.0
  • botocore 1.32.0
  • cachecontrol 0.13.1
  • certifi 2023.7.22
  • charset-normalizer 3.3.2
  • colorama 0.4.6
  • cyclonedx-python-lib 4.2.3
  • defusedxml 0.7.1
  • filelock 3.13.1
  • gitdb 4.0.11
  • gitpython 3.1.41
  • html5lib 1.1
  • idna 3.4
  • jmespath 1.0.1
  • jsonschema 4.19.2
  • jsonschema-specifications 2023.11.1
  • license-expression 30.1.1
  • markdown-it-py 3.0.0
  • mdurl 0.1.2
  • msgpack 1.0.7
  • packageurl-python 0.11.2
  • packaging 23.2
  • pbr 6.0.0
  • pip 23.3.1
  • pip-api 0.0.30
  • pip-audit 2.6.1
  • pip-licenses 4.3.3
  • pip-requirements-parser 32.0.1
  • prettytable 3.9.0
  • py-serializable 0.11.1
  • pygments 2.16.1
  • pyparsing 3.1.1
  • python-dateutil 2.8.2
  • pyyaml 6.0.1
  • referencing 0.31.0
  • requests 2.31.0
  • rich 13.6.0
  • rpds-py 0.12.0
  • six 1.16.0
  • smmap 5.0.1
  • sortedcontainers 2.4.0
  • stevedore 5.1.0
  • toml 0.10.2
  • typing-extensions 4.8.0
  • urllib3 2.0.7
  • wcwidth 0.2.10
  • webencodings 0.5.1
  • wrapt 1.16.0
app/pyproject.toml pypi
  • pip-licenses ^4.3.3 develop
  • aws-lambda-powertools ^2.25.1
  • aws-xray-sdk ^2.12.0
  • bandit ^1.7.5
  • jsonschema ^4.19.1
  • pip-audit ^2.6.1
  • pip-licenses ^4.3.3
  • python ^3.11
  • pyyaml ^6.0.1
  • requests ^2.31.0
lambda/delete_routes/poetry.lock pypi
  • bandit 1.7.5
  • boolean-py 4.0
  • cachecontrol 0.13.1
  • certifi 2023.7.22
  • cfnresponse 1.1.2
  • charset-normalizer 3.3.2
  • colorama 0.4.6
  • cyclonedx-python-lib 4.2.3
  • defusedxml 0.7.1
  • filelock 3.13.1
  • gitdb 4.0.11
  • gitpython 3.1.41
  • html5lib 1.1
  • idna 3.4
  • license-expression 30.1.1
  • markdown-it-py 3.0.0
  • mdurl 0.1.2
  • msgpack 1.0.7
  • packageurl-python 0.11.2
  • packaging 23.2
  • pbr 6.0.0
  • pip 23.3.1
  • pip-api 0.0.30
  • pip-audit 2.6.1
  • pip-licenses 4.3.3
  • pip-requirements-parser 32.0.1
  • prettytable 3.9.0
  • py-serializable 0.11.1
  • pygments 2.16.1
  • pyparsing 3.1.1
  • pyyaml 6.0.1
  • requests 2.31.0
  • rich 13.6.0
  • six 1.16.0
  • smmap 5.0.1
  • sortedcontainers 2.4.0
  • stevedore 5.1.0
  • toml 0.10.2
  • urllib3 2.1.0
  • wcwidth 0.2.10
  • webencodings 0.5.1
lambda/delete_routes/pyproject.toml pypi
  • pip-licenses ^4.3.3 develop
  • bandit ^1.7.5
  • cfnresponse ^1.1.2
  • pip-audit ^2.6.1
  • pip-licenses ^4.3.3
  • python ^3.11
lambda/fetch_vpc_endpoints/poetry.lock pypi
  • bandit 1.7.5
  • boolean-py 4.0
  • cachecontrol 0.13.1
  • certifi 2023.7.22
  • cfnresponse 1.1.2
  • charset-normalizer 3.3.2
  • colorama 0.4.6
  • cyclonedx-python-lib 4.2.3
  • defusedxml 0.7.1
  • filelock 3.13.1
  • gitdb 4.0.11
  • gitpython 3.1.41
  • html5lib 1.1
  • idna 3.4
  • license-expression 30.1.1
  • markdown-it-py 3.0.0
  • mdurl 0.1.2
  • msgpack 1.0.7
  • packageurl-python 0.11.2
  • packaging 23.2
  • pbr 6.0.0
  • pip 23.3.1
  • pip-api 0.0.30
  • pip-audit 2.6.1
  • pip-licenses 4.3.3
  • pip-requirements-parser 32.0.1
  • prettytable 3.9.0
  • py-serializable 0.11.1
  • pygments 2.16.1
  • pyparsing 3.1.1
  • pyyaml 6.0.1
  • requests 2.31.0
  • rich 13.6.0
  • six 1.16.0
  • smmap 5.0.1
  • sortedcontainers 2.4.0
  • stevedore 5.1.0
  • toml 0.10.2
  • urllib3 2.1.0
  • wcwidth 0.2.10
  • webencodings 0.5.1
lambda/fetch_vpc_endpoints/pyproject.toml pypi
  • pip-licenses ^4.3.3 develop
  • bandit ^1.7.5
  • cfnresponse ^1.1.2
  • pip-audit ^2.6.1
  • pip-licenses ^4.3.3
  • python ^3.11