https://github.com/awslabs/anfw-automate
Automate rule management for AWS Network Firewall
Science Score: 26.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (8.3%) to scientific vocabulary
Repository
Automate rule management for AWS Network Firewall
Basic Info
Statistics
- Stars: 15
- Watchers: 4
- Forks: 1
- Open Issues: 0
- Releases: 3
Metadata Files
README.md
Automate AWS Network Firewall Rule Management
An event-based serverless application that automatically performs CRUD operations on AWS Network Firewall rule-groups and rules based on distributed configuration files. The application consist of three modules:
VPC (Optional) Creates VPC based on configuration using AWS CodePipeline. Not required if you already have existing VPC in AWS Network Firewall and Application account.
Firewall (Optional) Creates AWS Network Firewall endpoints, and updates the routing tables of VPCs as configured. This requires Transit Gateway to be configured for the account and already attached to the AWS Network Firewall VPC. Not required, if you have existing AWS Network Firewall Setup.
Application Creates a event-based serverless application that updates the rules and rule-groups attached to the AWS Network Firewall managed by the application. The rules are must be maintained in application managed S3 buckets. There is no limit on number of distributed configurations. The deployment is based on the configurations.
PRE-REQUISITES
- Atleast two AWS Accounts are required as follows:
- Application Account (Dev)- to deploy any of the modules above in development environment.
- Resource Account - to deploy CICD pipeline for application deployment
NOTE: Please add more Application accounts per environment to ensure appropriate resource isolation
- Other optional AWS Accounts are required depending upon your setup:
- Delegated Admin Account - to managed spoke account using StackSets
- Spoke Account - to test the application by mocking customer with distributed AWS Network Firewall configuration.
DEPLOYMENT
PREPARE
- Install npm
- Create
deploy_vars.shin root of repository using following template. Not all paramters are required, please add/delete parameters based on your AWS Account Setup.
NOTE: STAGE and AWS_REGION parameters are mandatory. The deployment loads configuration and names resources created by all CDK stacks using these variable. Consider the
STAGEvariable as representing your application environment i.e. dev, pre-prod, prod, etc.
```
!/bin/bash
Resource Account configuration
export ACCOUNTRES=111122223333; export RESACCOUNTAWSPROFILE=deployer+res;
Prod Application Account configuration
export ACCOUNTPROD=222233334444; export PRODACCOUNTAWSPROFILE=deployer+app;
Delegated Admin Account configuration
export ACCOUNTDELEGATEDADMIN=333344445555; export DELEGATEDADMINACCOUNTAWSPROFILE=admin+dadmin;
Configure deployment
export AWSPROFILE=${RESACCOUNTAWSPROFILE}
export STAGE=xxx
export AWS_REGION=xx-yyyy-1
``
* Create a file namedin [conf](conf/) folder matching the name of theSTAGE` variable. This configuration is the global configuration used by all the stacks.
DEPLOY
Proceed to deploy the necessary modules by following their respecitve README sections: * app * firewall * vpc
Other Useful commands
npm run buildcompile typescript to jsnpm run watchwatch for changes and compilenpm run testperform the jest unit testscdk deploydeploy this stack to your default AWS account/regioncdk diffcompare deployed stack with current statecdk synthemits the synthesized CloudFormation template
DEPENDENCIES
This list of dependencies are needed to build the project. These packages are not part of the solution.
Python dependencies
| Package | Version | |------------------------|----------| | aws-lambda-powertools | ^2.25.1 | | aws-xray-sdk | ^2.12.0 | | jsonschema | ^4.19.1 | | python | ^3.11 | | pyyaml | ^6.0.1 | | requests | ^2.31.0 | | pytest | ^8.0.2 | | bandit | ^1.7.7 | | pip-audit | ^2.7.2 | | pip-licenses | ^4.3.4 | | boto3 | ^1.34.52 | | cfnresponse | ^1.1.2 |
Typescript dependencies
| Package | Version | |-----------------------------------|---------------| | @types/jest | ^29.5.12 | | @types/node | 20.11.30 | | aws-cdk | 2.135.0 | | jest | ^29.7.0 | | ts-jest | ^29.1.2 | | ts-node | ^10.9.2 | | typescript | ~5.4.3 | | @aws-cdk/aws-lambda-python-alpha | ^2.135.0-alpha.0 | | aws-cdk-lib | 2.135.0 | | cdk-nag | ^2.28.82 | | constructs | ^10.0.0 | | source-map-support | ^0.5.21 | | ajv | ^8.12.0 | | ajv-formats | ^3.0.1 |
APPENDIX
Please refer the GLOSSARY before creating any configuration files
Security
See CONTRIBUTING for more information.
License
This project is licensed under the Apache-2.0 License.
Owner
- Name: Amazon Web Services - Labs
- Login: awslabs
- Kind: organization
- Location: Seattle, WA
- Website: http://amazon.com/aws/
- Repositories: 914
- Profile: https://github.com/awslabs
AWS Labs
GitHub Events
Total
- Watch event: 3
- Delete event: 12
- Issue comment event: 1
- Push event: 9
- Pull request review event: 2
- Pull request event: 15
- Fork event: 1
- Create event: 7
Last Year
- Watch event: 3
- Delete event: 12
- Issue comment event: 1
- Push event: 9
- Pull request review event: 2
- Pull request event: 15
- Fork event: 1
- Create event: 7
Issues and Pull Requests
Last synced: 10 months ago
All Time
- Total issues: 0
- Total pull requests: 21
- Average time to close issues: N/A
- Average time to close pull requests: 6 days
- Total issue authors: 0
- Total pull request authors: 3
- Average comments per issue: 0
- Average comments per pull request: 0.05
- Merged pull requests: 16
- Bot issues: 0
- Bot pull requests: 17
Past Year
- Issues: 0
- Pull requests: 10
- Average time to close issues: N/A
- Average time to close pull requests: 16 days
- Issue authors: 0
- Pull request authors: 1
- Average comments per issue: 0
- Average comments per pull request: 0.0
- Merged pull requests: 6
- Bot issues: 0
- Bot pull requests: 10
Top Authors
Issue Authors
Pull Request Authors
- dependabot[bot] (27)
- ajusec (5)
- sbidy (2)
Top Labels
Issue Labels
Pull Request Labels
Dependencies
- 344 dependencies
- @types/jest ^29.5.4 development
- @types/node 20.5.7 development
- aws-cdk 2.94.0 development
- jest ^29.6.4 development
- ts-jest ^29.1.1 development
- ts-node ^10.9.1 development
- typescript ~5.2.2 development
- @aws-cdk/aws-lambda-python-alpha ^2.97.0-alpha.0
- ajv ^8.12.0
- aws-cdk-lib ^2.94.0
- cdk ^2.97.0
- cdk-nag ^2.27.137
- constructs ^10.0.0
- fs ^0.0.1-security
- source-map-support ^0.5.21
- attrs 23.1.0
- aws-lambda-powertools 2.26.1
- aws-xray-sdk 2.12.1
- bandit 1.7.5
- boolean-py 4.0
- botocore 1.32.0
- cachecontrol 0.13.1
- certifi 2023.7.22
- charset-normalizer 3.3.2
- colorama 0.4.6
- cyclonedx-python-lib 4.2.3
- defusedxml 0.7.1
- filelock 3.13.1
- gitdb 4.0.11
- gitpython 3.1.41
- html5lib 1.1
- idna 3.4
- jmespath 1.0.1
- jsonschema 4.19.2
- jsonschema-specifications 2023.11.1
- license-expression 30.1.1
- markdown-it-py 3.0.0
- mdurl 0.1.2
- msgpack 1.0.7
- packageurl-python 0.11.2
- packaging 23.2
- pbr 6.0.0
- pip 23.3.1
- pip-api 0.0.30
- pip-audit 2.6.1
- pip-licenses 4.3.3
- pip-requirements-parser 32.0.1
- prettytable 3.9.0
- py-serializable 0.11.1
- pygments 2.16.1
- pyparsing 3.1.1
- python-dateutil 2.8.2
- pyyaml 6.0.1
- referencing 0.31.0
- requests 2.31.0
- rich 13.6.0
- rpds-py 0.12.0
- six 1.16.0
- smmap 5.0.1
- sortedcontainers 2.4.0
- stevedore 5.1.0
- toml 0.10.2
- typing-extensions 4.8.0
- urllib3 2.0.7
- wcwidth 0.2.10
- webencodings 0.5.1
- wrapt 1.16.0
- pip-licenses ^4.3.3 develop
- aws-lambda-powertools ^2.25.1
- aws-xray-sdk ^2.12.0
- bandit ^1.7.5
- jsonschema ^4.19.1
- pip-audit ^2.6.1
- pip-licenses ^4.3.3
- python ^3.11
- pyyaml ^6.0.1
- requests ^2.31.0
- bandit 1.7.5
- boolean-py 4.0
- cachecontrol 0.13.1
- certifi 2023.7.22
- cfnresponse 1.1.2
- charset-normalizer 3.3.2
- colorama 0.4.6
- cyclonedx-python-lib 4.2.3
- defusedxml 0.7.1
- filelock 3.13.1
- gitdb 4.0.11
- gitpython 3.1.41
- html5lib 1.1
- idna 3.4
- license-expression 30.1.1
- markdown-it-py 3.0.0
- mdurl 0.1.2
- msgpack 1.0.7
- packageurl-python 0.11.2
- packaging 23.2
- pbr 6.0.0
- pip 23.3.1
- pip-api 0.0.30
- pip-audit 2.6.1
- pip-licenses 4.3.3
- pip-requirements-parser 32.0.1
- prettytable 3.9.0
- py-serializable 0.11.1
- pygments 2.16.1
- pyparsing 3.1.1
- pyyaml 6.0.1
- requests 2.31.0
- rich 13.6.0
- six 1.16.0
- smmap 5.0.1
- sortedcontainers 2.4.0
- stevedore 5.1.0
- toml 0.10.2
- urllib3 2.1.0
- wcwidth 0.2.10
- webencodings 0.5.1
- pip-licenses ^4.3.3 develop
- bandit ^1.7.5
- cfnresponse ^1.1.2
- pip-audit ^2.6.1
- pip-licenses ^4.3.3
- python ^3.11
- bandit 1.7.5
- boolean-py 4.0
- cachecontrol 0.13.1
- certifi 2023.7.22
- cfnresponse 1.1.2
- charset-normalizer 3.3.2
- colorama 0.4.6
- cyclonedx-python-lib 4.2.3
- defusedxml 0.7.1
- filelock 3.13.1
- gitdb 4.0.11
- gitpython 3.1.41
- html5lib 1.1
- idna 3.4
- license-expression 30.1.1
- markdown-it-py 3.0.0
- mdurl 0.1.2
- msgpack 1.0.7
- packageurl-python 0.11.2
- packaging 23.2
- pbr 6.0.0
- pip 23.3.1
- pip-api 0.0.30
- pip-audit 2.6.1
- pip-licenses 4.3.3
- pip-requirements-parser 32.0.1
- prettytable 3.9.0
- py-serializable 0.11.1
- pygments 2.16.1
- pyparsing 3.1.1
- pyyaml 6.0.1
- requests 2.31.0
- rich 13.6.0
- six 1.16.0
- smmap 5.0.1
- sortedcontainers 2.4.0
- stevedore 5.1.0
- toml 0.10.2
- urllib3 2.1.0
- wcwidth 0.2.10
- webencodings 0.5.1
- pip-licenses ^4.3.3 develop
- bandit ^1.7.5
- cfnresponse ^1.1.2
- pip-audit ^2.6.1
- pip-licenses ^4.3.3
- python ^3.11