Update the solution - Security Automations for AWS WAF

Update the solution

If you previously deployed the solution, follow this procedure to update the solution’s CloudFormation stack to get the latest version of the solution’s framework. Before you update the stack, read Update considerations carefully.

  1. Sign in to the AWS CloudFormation console.

  2. Select Stacks in the left navigation menu.

  3. Select your existing aws-waf-security-automations CloudFormation stack.

  4. Choose Update.

  5. Select Replace current template.

  6. Under Specify template:

    1. Select Amazon S3 URL.

    2. Copy the link of the aws-waf-security-automations.template AWS CloudFormation.

    3. Paste the link in the Amazon S3 URL box.

    4. Verify that the correct template URL shows in the Amazon S3 URL text box.

    5. Choose Next.

    6. Choose Next again.

  7. Under Parameters, review the parameters for the template and modify them as necessary. Refer to Step 1. Launch the stack for details about the parameters.

  8. Choose Next.

  9. On the Configure stack options page, choose Next.

  10. On the Review page, review and confirm the settings.

  11. Select the box acknowledging that the template might create IAM resources.

  12. Choose View change set and verify the changes.

  13. Choose Update stack to deploy the stack.

You can see the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of UPDATE_COMPLETE in approximately 15 minutes.

Update considerations

The following sections provide constraints and considerations for updating this solution.

Resource type update

You must deploy a new stack to update the Endpoint parameter after creating the stack. Don’t change the Endpoint parameter when updating the stack.

WAFV2 upgrade

Starting from version 3.0, this solution supports AWS WAFV2. We replaced all the AWS WAF Classic API calls with AWS WAFV2 API calls. This removes dependencies on Node.js and uses the most up-to-date Python runtime. To continue using this solution with the latest features and improvements, you must deploy version 3.0 or higher as a new stack.

Customizations at stack update

The out-of-box solution deploys a set of AWS WAF rules with default configurations into your AWS account with the CloudFormation stack. We don’t recommend applying customizations to rules deployed by the solution. Stack updates overwrite these changes. If you need customized rules, we recommend creating separate rules outside of the solution.

Note

If you are upgrading from version 3.0 or 3.1 to version 3.2 or newer of this solution, and you have manually inserted IP addresses into the allowed or denied IP set, you will be at risk of losing those IP addresses. To prevent that from happening, make a copy of the IP addresses in the allowed or denied IP set before upgrading the solution. Then after you complete the upgrade, add the IP addresses back to the IP set as needed. Refer to the get-ip-set and update-ip-set CLI commands. If you’re already using version 3.2 or newer, ignore this step.