Appendix C: Log Parser JSON file - AWS WAF Security Automations

Appendix C: Log Parser JSON file

If you selected Yes - AWS Lambda log parser for the Activate HTTP flood Protection template parameter, this solution creates a configuration file <stack_name>-waf_log_conf.json and uploads it to the Amazon Simple Storage Service (Amazon S3) bucket used to store the AWS WAF log files. To find the bucket name, see the WafLogBucket variable in the AWS CloudFormation output.


      Stack Outputs

Figure 8: Stack Outputs

If you edit and overwrite the <stack_name>-waf_log_conf.json file on Amazon S3, the Log Parser Lambda function will consider the new values when processing new AWS WAF log files. Below is a sample configuration file:


      HTTP flood configuration file

Figure 9: HTTP flood configuration file

Parameters

  • General

    • Request Threshold [required]: the maximum acceptable requests per five minutes per IP address. This solution uses the value you define when provisioning/updating the CloudFormation stack.

    • Block Period [required]: the period (in minutes) to block applicable IP addresses. This solution uses the value you define when provisioning/updating the CloudFormation stack.

    • Ignored Suffixes: requests accessing this type of resource will not count to request threshold. By default, this list is empty.

  • URI List: use this to define a custom request threshold and block period for specifics URLs. By default, this list is empty.

If you selected Yes - AWS Lambda log parser for the Activate Scanner & Probe Protection template parameter, this solution creates a configuration file <stack_name>-waf_log_conf.json and uploads it to the defined Amazon S3 bucket used to store CloudFront or Application Load Balancer log files.

If you edit and overwrite on the <stack_name>-waf_log_conf.json on Amazon Amazon S3, the Log Parser Lambda function will consider the new values when processing new AWS WAF log files. Below is a sample configuration file:


        scanners and probes config file

Figure 10: Scanner and Probes configuration file

Parameters

  • General

    • Error Threshold [required]: the maximum acceptable requests per minute per IP address. This solution uses the value you define when provisioning/updating the CloudFormation stack.

    • Block Period [required]: the period (in minutes) to block applicable IP addresses. This solution uses the value you define when provisioning/updating the CloudFormation stack.

    • Error Codes: return status code considered errors. By default, the list considers the following HTTP status codes as errors: 400 (Bad Request), 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), and 405 (Method Not Allowed).

  • URI List: use this to define a custom request threshold and block period for specifics URLs. By default, this list is empty.