Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPIKE: Revisit programmatic application of AWS Shield Advanced #2112

Closed
4 tasks done
dms1981 opened this issue Aug 10, 2022 · 2 comments
Closed
4 tasks done

SPIKE: Revisit programmatic application of AWS Shield Advanced #2112

dms1981 opened this issue Aug 10, 2022 · 2 comments
Labels
enhancement New feature or request

Comments

@dms1981
Copy link
Contributor

dms1981 commented Aug 10, 2022
edited
Loading

User Story

As a modernisation platform engineer
I want to programatically apply AWS Shield Advanced
So that I remove manual steps, reducing workload and enforcing consistency

User Type(s)

Modernisation Platform Customer

Value

Given that aws_shield_protection exists as a terraform resource, we should evaluate if we can make use of it to provide protection to resources in production accounts. We have steps to do so manually, but given our GitOps and Infrastructure-As-Code approach, we should assess if we can carry out these manually steps with automation

Questions / Assumptions / Hypothesis

Proposal

Definition of done

  • suitable timebox established
  • mapping of manual actions to automated actions created
  • any missing actions identified
  • assessment on if we can automate this through terraform made

Reference

How to write good user stories
Enabling AWS Shield Advanced
@dms1981 dms1981 added the enhancement New feature or request label Aug 10, 2022
@dms1981
Copy link
Contributor Author

dms1981 commented Aug 22, 2022

hashicorp/terraform-provider-aws#22869 - discussion on the issues inherent with getting the WAFv2 ACL for auto remediation

@dms1981
Copy link
Contributor Author

dms1981 commented Aug 22, 2022

Having looked at this we can do some things, but not all things:

  • Cloudwatch alarm & SNS notification
  • [] Enable SRT access
  • Enable AWS Shield for LB / EIP
  • [] Associate AWS Shield WAFv2 ACL
  • [] Set up rate limiting thresholds and set to count or block

SRT access / associating the DRT role doesn't look to be particularly difficult, but would need to be done through something like a local-exec and that would need considering in the context of github actions.

Associating the relevant WAFv2 ACL looks more challenging, however, as the format for the rule group - ShieldMitigationRuleGroup_account-id_web-acl-id_unique-identifier - does not appear suitable for the available queries I looked at via the AWS CLI tools for wafv2. I expect that even though data calls are available in Terraform they will be subject to the same requirement.

What's also unclear is the ability to add an action - eg, COUNT - a managed rule group through terraform.

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/shield/associate-drt-role.html

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/wafv2/list-rule-groups.html

@dms1981 dms1981 closed this as completed Aug 22, 2022
Repository owner moved this from To Do to Done in Modernisation Platform Aug 22, 2022
@dms1981 dms1981 mentioned this issue May 23, 2024
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Modernisation Platform
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dms1981