This collection of Amazon Network Firewall templates, demonstrates automated approaches involving an AWS Network Firewall Rule Group, paired with an AWS Lambda function to perform steps like, parsing an external source, and keeping the Rule Group automatically up to date.
This project consists of CloudFormation Templates and snippets of source code that demonstrate the functional aspects of the approach.
- Examples of using URLs hosting IP addresses, hostnames, or Suricata rules from https://abuse.ch
- Example of automating the creation of an allow list Suricata stateful rule group for AWS Network Firewall based on HTTP/TLS traffic logs, also provides deep visibility into HTTP/TLS traffic patterns.
- Examples of blocking using encrypted DNS hosts from https://feeds.alphasoc.net/encrypted_dns.txt
- Example of using URLs hosting IP addresses, hostnames, or Suricata rules from https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
- Example of using a published list of Linode addresses to drop or alert on the resulting traffic (https://geoip.linode.com/)
- Example of propagating the alerts generated by the AWS Firewall Manager to a configurable Slack channel
- Example where an Domain List is used to resolve IPs for the domain and block the associated IP addresses as well
- Examples of using URLs hosting IP addresses, hostnames, or Suricata rules from https://www.spamhaus.org
- An example that uses an Amazon Network Firewall Domain List, partnered with a stateful Suricata rule group to fetch and enforce the TLS Fingerprint of the domain
- Examples of using URLs hosting IP addresses, hostnames, or Suricata rules from https://check.torproject.org/exit-addresses
- Clone the repository:
- Using AWS CloudFormation, create a Stack from the templates available in the deploment folders from where you cloned the deployment assets.
This sample code is made available under the MIT-0 license. See the LICENSE file.